diff options
| author | Martin Weinelt <hexa@darmstadt.ccc.de> | 2021-12-04 02:54:50 +0100 |
|---|---|---|
| committer | Martin Weinelt <hexa@darmstadt.ccc.de> | 2021-12-04 16:53:31 +0100 |
| commit | 67f102d8d8dee9cd12c082d013081cb296199e1f (patch) | |
| tree | 30a44508b826ae421aaeada67c18ce411b2443bc | |
| parent | c52ea537b37afe1e2a4fcd33f4a8a5259a2da0ce (diff) | |
| download | nixpkgs-67f102d8d8dee9cd12c082d013081cb296199e1f.tar nixpkgs-67f102d8d8dee9cd12c082d013081cb296199e1f.tar.gz nixpkgs-67f102d8d8dee9cd12c082d013081cb296199e1f.tar.bz2 nixpkgs-67f102d8d8dee9cd12c082d013081cb296199e1f.tar.lz nixpkgs-67f102d8d8dee9cd12c082d013081cb296199e1f.tar.xz nixpkgs-67f102d8d8dee9cd12c082d013081cb296199e1f.tar.zst nixpkgs-67f102d8d8dee9cd12c082d013081cb296199e1f.zip | |
nixos/knot: update systemd hardening
| -rw-r--r-- | nixos/modules/services/networking/knot.nix | 49 |
1 files changed, 42 insertions, 7 deletions
diff --git a/nixos/modules/services/networking/knot.nix b/nixos/modules/services/networking/knot.nix index 67eadbd7670..a58a03997b3 100644 --- a/nixos/modules/services/networking/knot.nix +++ b/nixos/modules/services/networking/knot.nix @@ -80,13 +80,13 @@ in { }; config = mkIf config.services.knot.enable { + users.groups.knot = {}; users.users.knot = { isSystemUser = true; group = "knot"; description = "Knot daemon user"; }; - users.groups.knot.gid = null; systemd.services.knot = { unitConfig.Documentation = "man:knotd(8) man:knot.conf(5) man:knotc(8) https://www.knot-dns.cz/docs/${cfg.package.version}/html/"; description = cfg.package.meta.description; @@ -98,17 +98,52 @@ in { Type = "notify"; ExecStart = "${cfg.package}/bin/knotd --config=${configFile} --socket=${socketFile} ${concatStringsSep " " cfg.extraArgs}"; ExecReload = "${knot-cli-wrappers}/bin/knotc reload"; - CapabilityBoundingSet = "CAP_NET_BIND_SERVICE CAP_SETPCAP"; - AmbientCapabilities = "CAP_NET_BIND_SERVICE CAP_SETPCAP"; - NoNewPrivileges = true; User = "knot"; + Group = "knot"; + + AmbientCapabilities = [ + "CAP_NET_BIND_SERVICE" + ]; + CapabilityBoundingSet = [ + "CAP_NET_BIND_SERVICE" + ]; + DeviceAllow = ""; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = false; # breaks capability passing + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RemoveIPC = true; + Restart = "on-abort"; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + ]; + RestrictNamespaces = true; + RestrictRealtime =true; + RestrictSUIDSGID = true; RuntimeDirectory = "knot"; StateDirectory = "knot"; StateDirectoryMode = "0700"; - PrivateDevices = true; - RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; SystemCallArchitectures = "native"; - Restart = "on-abort"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + ]; + UMask = "0077"; }; }; |