colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

smartd: sandbox

Browse Source
This commit is contained in:
Colin
2024-11-09 12:01:08 +00:00
parent 3abf1fdff8
commit 6bd75034e0
2 changed files with 48 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
hosts/common/ids.nix
View File

@@ -84,6 +84,8 @@
sane.ids.unbound.uid = 2008;
sane.ids.unbound.gid = 2008;
sane.ids.resolvconf.gid = 2009;
sane.ids.smartd.uid = 2010;
sane.ids.smartd.gid = 2010;
# found on graphical hosts
sane.ids.nm-iodine.uid = 2101; # desko/moby/lappy

48
hosts/common/programs/smartmontools.nix
View File

@@ -1,4 +1,4 @@
{ config, lib, ... }:
{ config, lib, pkgs, ... }:
let
cfg = config.sane.programs.smartmontools;
in
@@ -11,6 +11,50 @@ in
sandbox.tryKeepUsers = true;
};
# TODO: service sandboxing
services.smartd.enable = lib.mkIf cfg.enabled true;
# don't depend on /run/wrappers/bin/sendmail
services.smartd.notifications.mail.mailer = lib.mkIf cfg.enabled (lib.getExe' pkgs.postfix "sendmail");
users.users.smartd = lib.mkIf cfg.enabled {
isSystemUser = true;
group = "disk"; # for access to /dev/sd*
extraGroups = [ "postdrop" ]; # for mail delivery
};
systemd.services.smartd = {
# hardening options (`systemd-analyze security smartd`)
serviceConfig.User = "smartd";
serviceConfig.AmbientCapabilities = [ "CAP_SYS_RAWIO" ];
serviceConfig.CapabilityBoundingSet = [ "CAP_SYS_RAWIO" ];
serviceConfig.NoNewPrivileges = true;
serviceConfig.DevicePolicy = "closed";
serviceConfig.DeviceAllow = "block-sd r";
serviceConfig.LockPersonality = true;
serviceConfig.MemoryDenyWriteExecute = true;
serviceConfig.PrivateIPC = true;
serviceConfig.PrivateMounts = true;
serviceConfig.PrivateNetwork = true;
serviceConfig.PrivateTmp = true;
serviceConfig.ProcSubset = "pid";
serviceConfig.ProtectClock = true;
serviceConfig.ProtectControlGroups = true;
serviceConfig.ProtectHome = true;
serviceConfig.ProtectHostname = true;
serviceConfig.ProtectKernelLogs = true;
serviceConfig.ProtectKernelModules = true;
serviceConfig.ProtectKernelTunables = true;
serviceConfig.ProtectProc = "invisible";
serviceConfig.ProtectSystem = "strict";
serviceConfig.RestrictAddressFamilies = [ "AF_UNIX" ]; # AF_UNIX required for systemd to know the service has started
serviceConfig.RestrictRealtime = true;
serviceConfig.RestrictSUIDSGID = true;
serviceConfig.SystemCallArchitectures = "native";
serviceConfig.SystemCallFilter = [
"@system-service"
"~@resources"
# keep "@privileged" or "@raw-io", since it needs to do that
];
# serviceConfig.RestrictNamespaces = true;
serviceConfig.ReadWritePaths = "/var/lib/postfix/queue/maildrop";
# serviceConfig.PrivateUsers = true; # can't, because it requires CAP_SYS_RAWIO
};
}