diff options
author | Alex Martens <alex@thinglab.org> | 2022-03-06 15:46:23 -0800 |
---|---|---|
committer | Alex Martens <alex@thinglab.org> | 2022-04-01 12:22:10 -0700 |
commit | 334b30c464d95bcedd473014aa83c7d68ece641f (patch) | |
tree | ff591d43386d731bfa4e74f1cd75eac881169c58 /nixos | |
parent | baedfc4da94daa30728d9ade4aa34f4a530d1e65 (diff) | |
download | nixpkgs-334b30c464d95bcedd473014aa83c7d68ece641f.tar nixpkgs-334b30c464d95bcedd473014aa83c7d68ece641f.tar.gz nixpkgs-334b30c464d95bcedd473014aa83c7d68ece641f.tar.bz2 nixpkgs-334b30c464d95bcedd473014aa83c7d68ece641f.tar.lz nixpkgs-334b30c464d95bcedd473014aa83c7d68ece641f.tar.xz nixpkgs-334b30c464d95bcedd473014aa83c7d68ece641f.tar.zst nixpkgs-334b30c464d95bcedd473014aa83c7d68ece641f.zip |
nixos/github-runner: systemd service hardening
Diffstat (limited to 'nixos')
3 files changed, 23 insertions, 0 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 9535d441740..c6471101f4a 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -980,6 +980,15 @@ </listitem> <listitem> <para> + <literal>services.github-runner</literal> has been hardened. + Notably address families and system calls have been + restricted, which may adversely affect some kinds of testing, + e.g. using <literal>AF_BLUETOOTH</literal> to test bluetooth + devices. + </para> + </listitem> + <listitem> + <para> The terraform 0.12 compatibility has been removed and the <literal>terraform.withPlugins</literal> and <literal>terraform-providers.mkProvider</literal> diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 377dd1b5cae..ad9532adff5 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -357,6 +357,10 @@ In addition to numerous new and upgraded packages, this release has the followin - The Tor SOCKS proxy is now actually disabled if `services.tor.client.enable` is set to `false` (the default). If you are using this functionality but didn't change the setting or set it to `false`, you now need to set it to `true`. +- `services.github-runner` has been hardened. Notably address families and + system calls have been restricted, which may adversely affect some kinds of + testing, e.g. using `AF_BLUETOOTH` to test bluetooth devices. + - The terraform 0.12 compatibility has been removed and the `terraform.withPlugins` and `terraform-providers.mkProvider` implementations simplified. Providers now need to be stored under `$out/libexec/terraform-providers/<registry>/<owner>/<name>/<version>/<os>_<arch>/terraform-provider-<name>_v<version>` (which mkProvider does). diff --git a/nixos/modules/services/continuous-integration/github-runner.nix b/nixos/modules/services/continuous-integration/github-runner.nix index a7645e1f56e..30dd919b81a 100644 --- a/nixos/modules/services/continuous-integration/github-runner.nix +++ b/nixos/modules/services/continuous-integration/github-runner.nix @@ -299,6 +299,16 @@ in RestrictRealtime = true; RestrictSUIDSGID = true; UMask = "0066"; + ProtectProc = "invisible"; + ProcSubset = "pid"; + SystemCallFilter = [ + "~@debug" + "~@mount" + "~@privileged" + "~@cpu-emulation" + "~@obsolete" + ]; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ]; # Needs network access PrivateNetwork = false; |