From 5ec159bbf5605d9ca61083388b25ae4aa65de8be Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Mon, 3 Jun 2024 13:05:51 +0000
Subject: [PATCH] WIP: networkmanager: restrict (using systemd options)

---
 hosts/common/net/networkmanager.nix | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/hosts/common/net/networkmanager.nix b/hosts/common/net/networkmanager.nix
index c532451a..bb3b6af6 100644
--- a/hosts/common/net/networkmanager.nix
+++ b/hosts/common/net/networkmanager.nix
@@ -67,6 +67,21 @@ in {
       "CAP_AUDIT_WRITE"  #< allow writing to the audit log
       # "CAP_KILL"
     ];
+    serviceConfig.LockPersonality = true;
+    serviceConfig.PrivateDevices = true;  # remount /dev with just the basics, syscall filter to block @raw-io
+    serviceConfig.PrivateIPC = true;
+    serviceConfig.PrivateUsers = true;  # TODO: might break hooks?
+    serviceConfig.ProtectClock = true;  # syscall filter to prevent changing the RTC
+    serviceConfig.ProtectControlGroups = true;
+    serviceConfig.ProtectHome = true;  # makes empty: /home, /root, /run/user
+    serviceConfig.ProtectHostname = true;  # probably not upstreamable: prevents changing hostname
+    serviceConfig.ProtectKernelLogs = true;  # disable /proc/kmsg, /dev/kmsg
+    serviceConfig.ProtectKernelModules = true;  # syscall filter to prevent module calls
+    # ProtectKernelTunables = true;  # but NM might need to write /proc/sys/net/...
+    serviceConfig.ProtectSystem = "full";  # makes read-only: /boot, /etc/, /usr. TODO: "strict" would make all but /dev, /proc, /sys inaccessible.
+    # serviceConfig.RestrictAddressFamilies = TODO
+    serviceConfig.RestrictSUIDSGID = true;
+    serviceConfig.SystemCallArchitectures = "native";  # prevents e.g. aarch64 syscalls in the event that the kernel is multi-architecture.
     # TODO: it needs these directories:
     # - "/proc/net"
     # - "/proc/sys/net"