nixos/netdata: Disable PrivateTmp setting for Netdata service (#127382)

* Add patch to put IPC socket into /run/netdata

Co-authored-by: Jörg Thalheim <joerg@thalheim.io>

* Update pkgs/tools/system/netdata/default.nix

Co-authored-by: Jörg Thalheim <joerg@thalheim.io>
Co-authored-by: Jörg Thalheim <Mic92@users.noreply.github.com>

pkgs/tools/system/netdata/default.nix

@@ -42,6 +42,11 @@ in stdenv.mkDerivation rec {
     # required to prevent plugins from relying on /etc
     # and /var
     ./no-files-in-etc-and-var.patch
+    # The current IPC location is unsafe as it writes
+    # a fixed path in /tmp, which is world-writable.
+    # Therefore we put it into `/run/netdata`, which is owned
+    # by netdata only.
+    ./ipc-socket-in-run.patch
   ];
 
   NIX_CFLAGS_COMPILE = optionalString withDebug "-O1 -ggdb -DNETDATA_INTERNAL_CHECKS=1";

pkgs/tools/system/netdata/ipc-socket-in-run.patch

@@ -0,0 +1,13 @@
+diff --git a/daemon/commands.h b/daemon/commands.h
+index bd4aabfe1cbe4..ce7eb3c730228 100644
+--- a/daemon/commands.h
++++ b/daemon/commands.h
+@@ -6,7 +6,7 @@
+ #ifdef _WIN32
+ # define PIPENAME "\\\\?\\pipe\\netdata-cli"
+ #else
+-# define PIPENAME "/tmp/netdata-ipc"
++# define PIPENAME "/run/netdata/ipc"
+ #endif
+ 
+ #define MAX_COMMAND_LENGTH 4096