summary refs log tree commit diff
path: root/nixos/modules/services/networking/bird.nix
diff options
context:
space:
mode:
authorJörg Thalheim <joerg@thalheim.io>2022-02-23 07:00:33 +0100
committerJörg Thalheim <joerg@thalheim.io>2022-02-25 11:39:34 +0100
commitad161944605a00dbf036dee4eea10eab8a286121 (patch)
tree2774c86805ce87ff5737a0f72ab419d9a60a5f02 /nixos/modules/services/networking/bird.nix
parenta5276e1fbdb1773554fb882ad4432116b9b4d918 (diff)
downloadnixpkgs-ad161944605a00dbf036dee4eea10eab8a286121.tar
nixpkgs-ad161944605a00dbf036dee4eea10eab8a286121.tar.gz
nixpkgs-ad161944605a00dbf036dee4eea10eab8a286121.tar.bz2
nixpkgs-ad161944605a00dbf036dee4eea10eab8a286121.tar.lz
nixpkgs-ad161944605a00dbf036dee4eea10eab8a286121.tar.xz
nixpkgs-ad161944605a00dbf036dee4eea10eab8a286121.tar.zst
nixpkgs-ad161944605a00dbf036dee4eea10eab8a286121.zip
nixos/bird: improve systemd hardening / capability set
aligned with https://github.com/archlinux/svntogit-packages/blob/packages/bird/trunk/bird.service#L20-L21
Diffstat (limited to 'nixos/modules/services/networking/bird.nix')
-rw-r--r--nixos/modules/services/networking/bird.nix12
1 files changed, 8 insertions, 4 deletions
diff --git a/nixos/modules/services/networking/bird.nix b/nixos/modules/services/networking/bird.nix
index 54c75906742..4a519242481 100644
--- a/nixos/modules/services/networking/bird.nix
+++ b/nixos/modules/services/networking/bird.nix
@@ -72,23 +72,27 @@ in
       serviceConfig = {
         Type = "forking";
         Restart = "on-failure";
+        # We need to start as root so bird can open netlink sockets i.e. for ospf
         ExecStart = "${pkgs.bird}/bin/bird -c /etc/bird/bird2.conf -u bird2 -g bird2";
         ExecReload = "/bin/sh -c '${pkgs.bird}/bin/bird -c /etc/bird/bird2.conf -p && ${pkgs.bird}/bin/birdc configure'";
         ExecStop = "${pkgs.bird}/bin/birdc down";
+        RuntimeDirectory = "bird";
         CapabilityBoundingSet = [
           "CAP_CHOWN"
           "CAP_FOWNER"
-          "CAP_DAC_OVERRIDE"
           "CAP_SETUID"
           "CAP_SETGID"
-          # see bird/sysdep/linux/syspriv.h
-          "CAP_NET_BIND_SERVICE"
-          "CAP_NET_BROADCAST"
           "CAP_NET_ADMIN"
+          "CAP_NET_BROADCAST"
+          "CAP_NET_BIND_SERVICE"
           "CAP_NET_RAW"
         ];
         ProtectSystem = "full";
         ProtectHome = "yes";
+        ProtectKernelTunables = true;
+        ProtectControlGroups = true;
+        PrivateTmp = true;
+        PrivateDevices = true;
         SystemCallFilter = "~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io";
         MemoryDenyWriteExecute = "yes";
       };
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-13 22:30:51 +0000