diff options
| author | Martin Weinelt <hexa@darmstadt.ccc.de> | 2021-04-24 15:40:12 +0200 |
|---|---|---|
| committer | Martin Weinelt <hexa@darmstadt.ccc.de> | 2021-04-30 19:42:26 +0200 |
| commit | a691549f7e2e466aa3833992de55c72bcee36885 (patch) | |
| tree | 4d14077e18c113b4b0a03fc02a7374cbb888d894 | |
| parent | e0f1e1f7bf7e27f92c1a0215a7cc19eeed0499dd (diff) | |
| download | nixpkgs-a691549f7e2e466aa3833992de55c72bcee36885.tar nixpkgs-a691549f7e2e466aa3833992de55c72bcee36885.tar.gz nixpkgs-a691549f7e2e466aa3833992de55c72bcee36885.tar.bz2 nixpkgs-a691549f7e2e466aa3833992de55c72bcee36885.tar.lz nixpkgs-a691549f7e2e466aa3833992de55c72bcee36885.tar.xz nixpkgs-a691549f7e2e466aa3833992de55c72bcee36885.tar.zst nixpkgs-a691549f7e2e466aa3833992de55c72bcee36885.zip | |
nixos/zigbee2mqtt: harden systemd unit
This is what is still exposed, and it allows me to control my lamps from within home-assistant. ✗ PrivateNetwork= Service has access to the host's network 0.5 ✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3 ✗ DeviceAllow= Service has a device ACL with some special devices 0.1 ✗ IPAddressDeny= Service does not define an IP address allow list 0.2 ✗ PrivateDevices= Service potentially has access to hardware devices 0.2 ✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1 ✗ SupplementaryGroups= Service runs with supplementary groups 0.1 ✗ MemoryDenyWriteExecute= Service may create writable executable memory mappings 0.1 → Overall exposure level for zigbee2mqtt.service: 1.3 OK 🙂
| -rw-r--r-- | nixos/modules/services/misc/zigbee2mqtt.nix | 41 |
1 files changed, 39 insertions, 2 deletions
diff --git a/nixos/modules/services/misc/zigbee2mqtt.nix b/nixos/modules/services/misc/zigbee2mqtt.nix index 63951348172..1f721910c4c 100644 --- a/nixos/modules/services/misc/zigbee2mqtt.nix +++ b/nixos/modules/services/misc/zigbee2mqtt.nix @@ -79,10 +79,48 @@ in User = "zigbee2mqtt"; WorkingDirectory = cfg.dataDir; Restart = "on-failure"; + + # Hardening + CapabilityBoundingSet = ""; + DeviceAllow = [ + config.services.zigbee2mqtt.settings.serial.port + ]; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = false; + NoNewPrivileges = true; + PrivateDevices = false; # prevents access to /dev/serial, because it is set 0700 root:root + PrivateUsers = true; + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; ProtectSystem = "strict"; ReadWritePaths = cfg.dataDir; - PrivateTmp = true; RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SupplementaryGroups = [ + "dialout" + ]; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "~@resources" + ]; + UMask = "0077"; }; preStart = '' cp --no-preserve=mode ${configFile} "${cfg.dataDir}/configuration.yaml" @@ -93,7 +131,6 @@ in home = cfg.dataDir; createHome = true; group = "zigbee2mqtt"; - extraGroups = [ "dialout" ]; uid = config.ids.uids.zigbee2mqtt; }; |