diff options
| author | Martin Weinelt <hexa@darmstadt.ccc.de> | 2021-05-06 16:44:16 +0200 |
|---|---|---|
| committer | Martin Weinelt <hexa@darmstadt.ccc.de> | 2021-05-06 16:55:53 +0200 |
| commit | 24adc01e2ed8377a82a45957b4ba280e169c185a (patch) | |
| tree | 4bb0d8009b375d85e358a1bbaefe441d56c3bd03 /nixos | |
| parent | 3bab9a19adc18cb72ceaa99124ccf5d7ac71f9d4 (diff) | |
| download | nixpkgs-24adc01e2ed8377a82a45957b4ba280e169c185a.tar nixpkgs-24adc01e2ed8377a82a45957b4ba280e169c185a.tar.gz nixpkgs-24adc01e2ed8377a82a45957b4ba280e169c185a.tar.bz2 nixpkgs-24adc01e2ed8377a82a45957b4ba280e169c185a.tar.lz nixpkgs-24adc01e2ed8377a82a45957b4ba280e169c185a.tar.xz nixpkgs-24adc01e2ed8377a82a45957b4ba280e169c185a.tar.zst nixpkgs-24adc01e2ed8377a82a45957b4ba280e169c185a.zip | |
nixos/home-assistant: allow netlink sockets and /proc/net inspection
Since v2021.5.0 home-assistant uses the ifaddr library in the zeroconf component to enumerate network interfaces via netlink. Since discovery is all over the place lets allow AF_NETLINK unconditionally. It also relies on pyroute2 now, which additionally tries to access files in /proc/net, so we relax ProtectProc a bit by default as well. This leaves us with these options unsecured: ✗ PrivateNetwork= Service has access to the host's network 0.5 ✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3 ✗ DeviceAllow= Service has a device ACL with some special devices 0.1 ✗ IPAddressDeny= Service does not define an IP address allow list 0.2 ✗ PrivateDevices= Service potentially has access to hardware devices 0.2 ✗ PrivateUsers= Service has access to other users 0.2 ✗ SystemCallFilter=~@resources System call allow list defined for service, and @resources is included (e.g. ioprio_set is allowed) 0.2 ✗ RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets 0.1 ✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1 ✗ SupplementaryGroups= Service runs with supplementary groups 0.1 ✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1 ✗ ProcSubset= Service has full access to non-process /proc files (/proc subset=) 0.1 → Overall exposure level for home-assistant.service: 1.6 OK 🙂
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/misc/home-assistant.nix | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/nixos/modules/services/misc/home-assistant.nix b/nixos/modules/services/misc/home-assistant.nix index 1985f130881..1e33381de24 100644 --- a/nixos/modules/services/misc/home-assistant.nix +++ b/nixos/modules/services/misc/home-assistant.nix @@ -298,7 +298,7 @@ in { ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "invisible"; - ProcSubset = "pid"; + ProcSubset = "all"; ProtectSystem = "strict"; RemoveIPC = true; ReadWritePaths = let @@ -308,9 +308,10 @@ in { allowPaths = if isList value then value else singleton value; in [ "${cfg.configDir}" ] ++ allowPaths; RestrictAddressFamilies = [ - "AF_UNIX" "AF_INET" "AF_INET6" + "AF_NETLINK" + "AF_UNIX" ] ++ optionals (useComponent "bluetooth_tracker" || useComponent "bluetooth_le_tracker") [ "AF_BLUETOOTH" ]; |