summary refs log tree commit diff
diff options
context:
space:
mode:
authorSymphorien Gibol <symphorien+git@xlumurb.eu>2020-02-02 12:00:00 +0000
committerSymphorien Gibol <symphorien+git@xlumurb.eu>2020-02-04 20:54:29 +0100
commit00a91d919d6f6cdaecc67a894f372a4195fea9da (patch)
treecd7c4f50b8d41af4aa80efe853b293efcff12380
parent7437bff7d1db7f1d62a53350a73632d18926d67a (diff)
downloadnixpkgs-00a91d919d6f6cdaecc67a894f372a4195fea9da.tar
nixpkgs-00a91d919d6f6cdaecc67a894f372a4195fea9da.tar.gz
nixpkgs-00a91d919d6f6cdaecc67a894f372a4195fea9da.tar.bz2
nixpkgs-00a91d919d6f6cdaecc67a894f372a4195fea9da.tar.lz
nixpkgs-00a91d919d6f6cdaecc67a894f372a4195fea9da.tar.xz
nixpkgs-00a91d919d6f6cdaecc67a894f372a4195fea9da.tar.zst
nixpkgs-00a91d919d6f6cdaecc67a894f372a4195fea9da.zip
nixos/iodine: hardening
Diffstat
-rw-r--r--nixos/modules/services/networking/iodine.nix38


1 files changed, 38 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/iodine.nix b/nixos/modules/services/networking/iodine.nix
index 58067edf902..8aa91170851 100644
--- a/nixos/modules/services/networking/iodine.nix
+++ b/nixos/modules/services/networking/iodine.nix
@@ -9,6 +9,8 @@ let
 
   iodinedUser = "iodined";
 
+  /* is this path made unreadable by ProtectHome = true ? */
+  isProtected = x: hasPrefix "/root" x || hasPrefix "/home" x;
 in
 {
   imports = [
@@ -134,6 +136,24 @@ in
             serviceConfig = {
               RestartSec = "30s";
               Restart = "always";
+
+              # hardening :
+              # Filesystem access
+              ProtectSystem = "strict";
+              ProtectHome = if isProtected cfg.passwordFile then "read-only" else "true" ;
+              PrivateTmp = true;
+              ReadWritePaths = "/dev/net/tun";
+              PrivateDevices = false;
+              ProtectKernelTunables = true;
+              ProtectKernelModules = true;
+              ProtectControlGroups = true;
+              # Caps
+              NoNewPrivileges = true;
+              # Misc.
+              LockPersonality = true;
+              RestrictRealtime = true;
+              PrivateMounts = true;
+              MemoryDenyWriteExecute = true;
             };
           };
       in
@@ -147,6 +167,24 @@ in
             after = [ "network.target" ];
             wantedBy = [ "multi-user.target" ];
             script = "exec ${pkgs.iodine}/bin/iodined -f -u ${iodinedUser} ${cfg.server.extraConfig} ${optionalString (cfg.server.passwordFile != "") "< \"${cfg.server.passwordFile}\""} ${cfg.server.ip} ${cfg.server.domain}";
+            serviceConfig = {
+              # Filesystem access
+              ProtectSystem = "strict";
+              ProtectHome = if isProtected cfg.server.passwordFile then "read-only" else "true" ;
+              PrivateTmp = true;
+              ReadWritePaths = "/dev/net/tun";
+              PrivateDevices = false;
+              ProtectKernelTunables = true;
+              ProtectKernelModules = true;
+              ProtectControlGroups = true;
+              # Caps
+              NoNewPrivileges = true;
+              # Misc.
+              LockPersonality = true;
+              RestrictRealtime = true;
+              PrivateMounts = true;
+              MemoryDenyWriteExecute = true;
+            };
           };
         };
 

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-14 08:01:58 +0000