mnt-servo-*-reachable.service: harden systemd service

2024-08-06 06:43:10 +00:00
parent 5e57e78411
commit 638655ff83
1 changed files with 41 additions and 2 deletions
--- a/hosts/common/fs.nix
+++ b/hosts/common/fs.nix
@@ -193,7 +193,6 @@ let
      dir.acl.mode = "0750";
      wantedBy = [ "default.target" ];
      mount.depends = [ "network-online.target" "${systemdName}-reachable.service" ];
-      # mount.unitConfig.Conflicts = [ "${systemdName}-reachable.service" ];  #< ensures that we *retry* reachability on every activation attempt
      #VVV patch so that when the mount fails, we start a timer to remount it.
      #    and for a disconnection after a good mount (onSuccess), restart the timer to be more aggressive
      mount.unitConfig.OnFailure = [ "${systemdName}.timer" ];
@@ -246,7 +245,47 @@ let
      serviceConfig.RemainAfterExit = true;
      serviceConfig.Type = "oneshot";
      unitConfig.BindsTo = [ "${systemdName}.mount" ];
-      # unitConfig.PartOf = [ "${systemdName}.mount" ];
+      # hardening (systemd-analyze security mnt-servo-playground-reachable.service)
+      serviceConfig.AmbientCapabilities = "";
+      serviceConfig.CapabilityBoundingSet = "";
+      serviceConfig.DynamicUser = true;
+      serviceConfig.LockPersonality = true;
+      serviceConfig.MemoryDenyWriteExecute = true;
+      serviceConfig.NoNewPrivileges = true;
+      serviceConfig.PrivateDevices = true;
+      serviceConfig.PrivateMounts = true;
+      serviceConfig.PrivateTmp = true;
+      serviceConfig.PrivateUsers = true;
+      serviceConfig.ProcSubset = "all";
+      serviceConfig.ProtectClock = true;
+      serviceConfig.ProtectControlGroups = true;
+      serviceConfig.ProtectHome = true;
+      serviceConfig.ProtectKernelModules = true;
+      serviceConfig.ProtectProc = "invisible";
+      serviceConfig.ProtectSystem = "strict";
+      serviceConfig.RemoveIPC = true;
+      serviceConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
+      # serviceConfig.RestrictFileSystems = "@common-block @basic-api";  #< NOPE
+      serviceConfig.RestrictRealtime = true;
+      serviceConfig.RestrictSUIDSGID = true;
+      serviceConfig.SystemCallArchitectures = "native";
+      serviceConfig.SystemCallFilter = [
+        "@system-service"
+        "@mount"
+        "~@chown"
+        "~@cpu-emulation"
+        "~@keyring"
+        # "~@privileged"  #< NOPE
+        "~@resources"
+        # could remove some more probably
+      ];
+      serviceConfig.IPAddressDeny = "any";
+      serviceConfig.IPAddressAllow = "10.0.10.5";
+      serviceConfig.DevicePolicy = "closed";
+      # exceptions
+      serviceConfig.ProtectHostname = false;
+      serviceConfig.ProtectKernelLogs = false;
+      serviceConfig.ProtectKernelTunables = false;
    };

    systemd.targets."${systemdName}-restart-timer" = {