diff options
| author | Lassulus <github@lassul.us> | 2022-04-20 16:30:23 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-04-20 16:30:23 +0100 |
| commit | c29e52382420ba345e6bc96959dea044f6398fe9 (patch) | |
| tree | 2541a659da55fad61975a738cf7b60978c28138c /nixos | |
| parent | 9d733f3d4975fb3c516a2bf2bf1bc6f50781a553 (diff) | |
| parent | 334b30c464d95bcedd473014aa83c7d68ece641f (diff) | |
| download | nixpkgs-c29e52382420ba345e6bc96959dea044f6398fe9.tar nixpkgs-c29e52382420ba345e6bc96959dea044f6398fe9.tar.gz nixpkgs-c29e52382420ba345e6bc96959dea044f6398fe9.tar.bz2 nixpkgs-c29e52382420ba345e6bc96959dea044f6398fe9.tar.lz nixpkgs-c29e52382420ba345e6bc96959dea044f6398fe9.tar.xz nixpkgs-c29e52382420ba345e6bc96959dea044f6398fe9.tar.zst nixpkgs-c29e52382420ba345e6bc96959dea044f6398fe9.zip | |
Merge pull request #163030 from newAM/github-runner-harden
nixos/github-runner: systemd service hardening
Diffstat (limited to 'nixos')
3 files changed, 23 insertions, 0 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 9c2ddaa0815..c8a942f2abb 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -1265,6 +1265,15 @@ </listitem> <listitem> <para> + <literal>services.github-runner</literal> has been hardened. + Notably address families and system calls have been + restricted, which may adversely affect some kinds of testing, + e.g. using <literal>AF_BLUETOOTH</literal> to test bluetooth + devices. + </para> + </listitem> + <listitem> + <para> The terraform 0.12 compatibility has been removed and the <literal>terraform.withPlugins</literal> and <literal>terraform-providers.mkProvider</literal> diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index b1fd3ba4c00..809f6f9068e 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -498,6 +498,10 @@ In addition to numerous new and upgraded packages, this release has the followin - The Tor SOCKS proxy is now actually disabled if `services.tor.client.enable` is set to `false` (the default). If you are using this functionality but didn't change the setting or set it to `false`, you now need to set it to `true`. +- `services.github-runner` has been hardened. Notably address families and + system calls have been restricted, which may adversely affect some kinds of + testing, e.g. using `AF_BLUETOOTH` to test bluetooth devices. + - The terraform 0.12 compatibility has been removed and the `terraform.withPlugins` and `terraform-providers.mkProvider` implementations simplified. Providers now need to be stored under `$out/libexec/terraform-providers/<registry>/<owner>/<name>/<version>/<os>_<arch>/terraform-provider-<name>_v<version>` (which mkProvider does). diff --git a/nixos/modules/services/continuous-integration/github-runner.nix b/nixos/modules/services/continuous-integration/github-runner.nix index a7645e1f56e..30dd919b81a 100644 --- a/nixos/modules/services/continuous-integration/github-runner.nix +++ b/nixos/modules/services/continuous-integration/github-runner.nix @@ -299,6 +299,16 @@ in RestrictRealtime = true; RestrictSUIDSGID = true; UMask = "0066"; + ProtectProc = "invisible"; + ProcSubset = "pid"; + SystemCallFilter = [ + "~@debug" + "~@mount" + "~@privileged" + "~@cpu-emulation" + "~@obsolete" + ]; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ]; # Needs network access PrivateNetwork = false; |