diff options
author | Jörg Thalheim <joerg@thalheim.io> | 2022-02-23 07:00:33 +0100 |
---|---|---|
committer | Jörg Thalheim <joerg@thalheim.io> | 2022-02-25 11:39:34 +0100 |
commit | ad161944605a00dbf036dee4eea10eab8a286121 (patch) | |
tree | 2774c86805ce87ff5737a0f72ab419d9a60a5f02 /nixos/modules/services/networking/bird.nix | |
parent | a5276e1fbdb1773554fb882ad4432116b9b4d918 (diff) | |
download | nixpkgs-ad161944605a00dbf036dee4eea10eab8a286121.tar nixpkgs-ad161944605a00dbf036dee4eea10eab8a286121.tar.gz nixpkgs-ad161944605a00dbf036dee4eea10eab8a286121.tar.bz2 nixpkgs-ad161944605a00dbf036dee4eea10eab8a286121.tar.lz nixpkgs-ad161944605a00dbf036dee4eea10eab8a286121.tar.xz nixpkgs-ad161944605a00dbf036dee4eea10eab8a286121.tar.zst nixpkgs-ad161944605a00dbf036dee4eea10eab8a286121.zip |
nixos/bird: improve systemd hardening / capability set
aligned with https://github.com/archlinux/svntogit-packages/blob/packages/bird/trunk/bird.service#L20-L21
Diffstat (limited to 'nixos/modules/services/networking/bird.nix')
-rw-r--r-- | nixos/modules/services/networking/bird.nix | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/nixos/modules/services/networking/bird.nix b/nixos/modules/services/networking/bird.nix index 54c75906742..4a519242481 100644 --- a/nixos/modules/services/networking/bird.nix +++ b/nixos/modules/services/networking/bird.nix @@ -72,23 +72,27 @@ in serviceConfig = { Type = "forking"; Restart = "on-failure"; + # We need to start as root so bird can open netlink sockets i.e. for ospf ExecStart = "${pkgs.bird}/bin/bird -c /etc/bird/bird2.conf -u bird2 -g bird2"; ExecReload = "/bin/sh -c '${pkgs.bird}/bin/bird -c /etc/bird/bird2.conf -p && ${pkgs.bird}/bin/birdc configure'"; ExecStop = "${pkgs.bird}/bin/birdc down"; + RuntimeDirectory = "bird"; CapabilityBoundingSet = [ "CAP_CHOWN" "CAP_FOWNER" - "CAP_DAC_OVERRIDE" "CAP_SETUID" "CAP_SETGID" - # see bird/sysdep/linux/syspriv.h - "CAP_NET_BIND_SERVICE" - "CAP_NET_BROADCAST" "CAP_NET_ADMIN" + "CAP_NET_BROADCAST" + "CAP_NET_BIND_SERVICE" "CAP_NET_RAW" ]; ProtectSystem = "full"; ProtectHome = "yes"; + ProtectKernelTunables = true; + ProtectControlGroups = true; + PrivateTmp = true; + PrivateDevices = true; SystemCallFilter = "~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io"; MemoryDenyWriteExecute = "yes"; }; |