diff options
| author | Martin Weinelt <hexa@darmstadt.ccc.de> | 2021-04-24 17:22:54 +0200 |
|---|---|---|
| committer | Martin Weinelt <hexa@darmstadt.ccc.de> | 2021-05-01 19:46:48 +0200 |
| commit | 33e867620eb1e27d44a35fb57944ce8a5bccfdab (patch) | |
| tree | 0cfd2434f57e355521b35b91b1623b2a9c634994 /nixos/modules/services/networking/mosquitto.nix | |
| parent | 6aec5a24a4ba03f6c499b48ea7c71111db629e7b (diff) | |
| download | nixpkgs-33e867620eb1e27d44a35fb57944ce8a5bccfdab.tar nixpkgs-33e867620eb1e27d44a35fb57944ce8a5bccfdab.tar.gz nixpkgs-33e867620eb1e27d44a35fb57944ce8a5bccfdab.tar.bz2 nixpkgs-33e867620eb1e27d44a35fb57944ce8a5bccfdab.tar.lz nixpkgs-33e867620eb1e27d44a35fb57944ce8a5bccfdab.tar.xz nixpkgs-33e867620eb1e27d44a35fb57944ce8a5bccfdab.tar.zst nixpkgs-33e867620eb1e27d44a35fb57944ce8a5bccfdab.zip | |
nixos/mosquitto: harden systemd unit
It can still network, it can only access the ssl related files if ssl is enabled. ✗ PrivateNetwork= Service has access to the host's network 0.5 ✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3 ✗ DeviceAllow= Service has a device ACL with some special devices 0.1 ✗ IPAddressDeny= Service does not define an IP address allow list 0.2 ✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1 ✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1 → Overall exposure level for mosquitto.service: 1.1 OK 🙂
Diffstat (limited to 'nixos/modules/services/networking/mosquitto.nix')
| -rw-r--r-- | nixos/modules/services/networking/mosquitto.nix | 43 |
1 files changed, 39 insertions, 4 deletions
diff --git a/nixos/modules/services/networking/mosquitto.nix b/nixos/modules/services/networking/mosquitto.nix index 10b49d9b220..b98a717e658 100644 --- a/nixos/modules/services/networking/mosquitto.nix +++ b/nixos/modules/services/networking/mosquitto.nix @@ -233,15 +233,50 @@ in ExecStart = "${pkgs.mosquitto}/bin/mosquitto -c ${mosquittoConf}"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - ProtectSystem = "strict"; - ProtectHome = true; + # Hardening + CapabilityBoundingSet = ""; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; PrivateDevices = true; PrivateTmp = true; - ReadWritePaths = "${cfg.dataDir}"; + PrivateUsers = true; + ProtectClock = true; ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; - NoNewPrivileges = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + ProtectSystem = "strict"; + ReadWritePaths = [ + cfg.dataDir + "/tmp" # mosquitto_passwd creates files in /tmp before moving them + ]; + ReadOnlyPaths = with cfg.ssl; lib.optionals (enable) [ + certfile + keyfile + cafile + ]; + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_UNIX" # for sd_notify() call + "AF_INET" + "AF_INET6" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "~@resources" + ]; + UMask = "0077"; }; preStart = '' rm -f ${cfg.dataDir}/passwd |