From d27c3f57c4e3b89fff811b0b3460833d64c4fcbe Mon Sep 17 00:00:00 2001 From: Carthik Sharma Date: Tue, 2 Apr 2024 20:17:07 -0700 Subject: [PATCH 1/2] Add options to manage file system access options to Service Added in version 231, systemd provides options to manage file system access options to processes executed by systemd services. Adding these as valid options. See https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#ReadWritePaths= for docs. --- REFERENCE.md | 5 +++++ types/unit/service.pp | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/REFERENCE.md b/REFERENCE.md index 4c58eccb..0a43d246 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -2753,6 +2753,11 @@ Struct[{ Optional['ProtectHome'] => Variant[Boolean, Enum['read-only', 'tmpfs']], Optional['BindPaths'] => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]], Optional['BindReadOnlyPaths'] => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]], + Optional['ReadWritePaths'] => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]], + Optional['ReadOnlyPaths'] => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]], + Optional['InaccessiblePaths'] => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]], + Optional['ExecPaths'] => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]], + Optional['NoExecPaths'] => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]], Optional['PrivateDevices'] => Boolean, Optional['RemoveIPC'] => Boolean, Optional['ProtectKernelModules'] => Boolean, diff --git a/types/unit/service.pp b/types/unit/service.pp index 0b4c07c8..d0f30717 100644 --- a/types/unit/service.pp +++ b/types/unit/service.pp @@ -109,6 +109,11 @@ Optional['ProtectHome'] => Variant[Boolean, Enum['read-only', 'tmpfs']], Optional['BindPaths'] => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]], Optional['BindReadOnlyPaths'] => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]], + Optional['ReadWritePaths'] => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]], + Optional['ReadOnlyPaths'] => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]], + Optional['InaccessiblePaths'] => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]], + Optional['ExecPaths'] => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]], + Optional['NoExecPaths'] => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]], Optional['PrivateDevices'] => Boolean, Optional['RemoveIPC'] => Boolean, Optional['ProtectKernelModules'] => Boolean, From 1ec61acbfb6f2032760dae31a2c4422816f9350c Mon Sep 17 00:00:00 2001 From: Carthik Sharma Date: Fri, 5 Apr 2024 07:58:27 -0700 Subject: [PATCH 2/2] Update regular expression for file system options' paths --- REFERENCE.md | 10 +++++----- types/unit/service.pp | 10 +++++----- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 0a43d246..a7e2eb28 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -2753,11 +2753,11 @@ Struct[{ Optional['ProtectHome'] => Variant[Boolean, Enum['read-only', 'tmpfs']], Optional['BindPaths'] => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]], Optional['BindReadOnlyPaths'] => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]], - Optional['ReadWritePaths'] => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]], - Optional['ReadOnlyPaths'] => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]], - Optional['InaccessiblePaths'] => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]], - Optional['ExecPaths'] => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]], - Optional['NoExecPaths'] => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]], + Optional['ReadWritePaths'] => Variant[Stdlib::Unixpath,Pattern[/^-?\+?\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/^-?\+?\/.+/]],1]], + Optional['ReadOnlyPaths'] => Variant[Stdlib::Unixpath,Pattern[/^-?\+?\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/^-?\+?\/.+/]],1]], + Optional['InaccessiblePaths'] => Variant[Stdlib::Unixpath,Pattern[/^-?\+?\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/^-?\+?\/.+/]],1]], + Optional['ExecPaths'] => Variant[Stdlib::Unixpath,Pattern[/^-?\+?\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/^-?\+?\/.+/]],1]], + Optional['NoExecPaths'] => Variant[Stdlib::Unixpath,Pattern[/^-?\+?\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/^-?\+?\/.+/]],1]], Optional['PrivateDevices'] => Boolean, Optional['RemoveIPC'] => Boolean, Optional['ProtectKernelModules'] => Boolean, diff --git a/types/unit/service.pp b/types/unit/service.pp index d0f30717..da463a36 100644 --- a/types/unit/service.pp +++ b/types/unit/service.pp @@ -109,11 +109,11 @@ Optional['ProtectHome'] => Variant[Boolean, Enum['read-only', 'tmpfs']], Optional['BindPaths'] => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]], Optional['BindReadOnlyPaths'] => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]], - Optional['ReadWritePaths'] => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]], - Optional['ReadOnlyPaths'] => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]], - Optional['InaccessiblePaths'] => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]], - Optional['ExecPaths'] => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]], - Optional['NoExecPaths'] => Variant[Stdlib::Unixpath,Pattern[/-\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/-\/.+/]],1]], + Optional['ReadWritePaths'] => Variant[Stdlib::Unixpath,Pattern[/^-?\+?\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/^-?\+?\/.+/]],1]], + Optional['ReadOnlyPaths'] => Variant[Stdlib::Unixpath,Pattern[/^-?\+?\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/^-?\+?\/.+/]],1]], + Optional['InaccessiblePaths'] => Variant[Stdlib::Unixpath,Pattern[/^-?\+?\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/^-?\+?\/.+/]],1]], + Optional['ExecPaths'] => Variant[Stdlib::Unixpath,Pattern[/^-?\+?\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/^-?\+?\/.+/]],1]], + Optional['NoExecPaths'] => Variant[Stdlib::Unixpath,Pattern[/^-?\+?\/.+/], Array[Variant[Stdlib::Unixpath,Pattern[/^-?\+?\/.+/]],1]], Optional['PrivateDevices'] => Boolean, Optional['RemoveIPC'] => Boolean, Optional['ProtectKernelModules'] => Boolean,