smartd: fix sandboxing on desko

2024-11-09 22:28:59 +00:00
parent c70ec39a48
commit 33412ad3f2
1 changed files with 26 additions and 8 deletions
--- a/hosts/common/programs/smartmontools.nix
+++ b/hosts/common/programs/smartmontools.nix
@@ -1,6 +1,7 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.sane.programs.smartmontools;
+  usePostfix = config.services.postfix.enable;
 in
 {
  sane.programs.smartmontools = {
@@ -11,23 +12,40 @@ in
    sandbox.tryKeepUsers = true;
  };

-  services.smartd.enable = lib.mkIf cfg.enabled true;
-  # don't depend on /run/wrappers/bin/sendmail
-  services.smartd.notifications.mail.mailer = lib.mkIf cfg.enabled (lib.getExe' pkgs.postfix "sendmail");
+  services.smartd = lib.mkIf cfg.enabled {
+    enable = true;
+    # don't depend on /run/wrappers/bin/sendmail
+    notifications.mail.mailer = lib.mkIf usePostfix (lib.getExe' pkgs.postfix "sendmail");
+  };
+
+  services.udev.extraRules = lib.mkIf cfg.enabled ''
+    # fix /dev/nvme0, etc, to have same perms as /dev/nvme0n*
+    SUBSYSTEM=="nvme" GROUP="disk" MODE="0660"
+  '';

  users.users.smartd = lib.mkIf cfg.enabled {
    isSystemUser = true;
    group = "disk";  # for access to /dev/sd*
    extraGroups = [ "postdrop" ];  # for mail delivery
  };
-  systemd.services.smartd = {
+  systemd.services.smartd = lib.mkIf cfg.enabled {
    # hardening options (`systemd-analyze security smartd`)
    serviceConfig.User = "smartd";
-    serviceConfig.AmbientCapabilities = [ "CAP_SYS_RAWIO" ];
-    serviceConfig.CapabilityBoundingSet = [ "CAP_SYS_RAWIO" ];
+    serviceConfig.AmbientCapabilities = [
+      "CAP_SYS_ADMIN"  #< only needed for nvme devices
+      "CAP_SYS_RAWIO"
+    ];
+    serviceConfig.CapabilityBoundingSet = [
+      "CAP_SYS_ADMIN"  #< only needed for nvme devices
+      "CAP_SYS_RAWIO"
+    ];
    serviceConfig.NoNewPrivileges = true;
    serviceConfig.DevicePolicy = "closed";
-    serviceConfig.DeviceAllow = "block-sd r";
+    serviceConfig.DeviceAllow = [
+      "block-sd r"
+      "char-nvme r"
+      # "char-nvme-generic r"
+    ];
    serviceConfig.LockPersonality = true;
    serviceConfig.MemoryDenyWriteExecute = true;
    serviceConfig.PrivateIPC = true;
@@ -54,7 +72,7 @@ in
      # keep "@privileged" or "@raw-io", since it needs to do that
    ];
    # serviceConfig.RestrictNamespaces = true;
-    serviceConfig.ReadWritePaths = lib.mkIf config.services.postfix.enable [
+    serviceConfig.ReadWritePaths = lib.mkIf usePostfix [
      "/var/lib/postfix/queue/maildrop"
    ];
    # serviceConfig.PrivateUsers = true;  # can't, because it requires CAP_SYS_RAWIO