colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

networkmanager: restrict service (using systemd options)

Browse Source
This commit is contained in:
Colin
2024-06-03 13:05:51 +00:00
parent f6725f60b9
commit 80eb385c64
1 changed files with 28 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
hosts/common/net/networkmanager.nix
View File

@@ -61,12 +61,38 @@ in {
serviceConfig.AmbientCapabilities = [ serviceConfig.AmbientCapabilities = [
# "CAP_DAC_OVERRIDE" # "CAP_DAC_OVERRIDE"
"CAP_NET_ADMIN" "CAP_NET_ADMIN"
"CAP_NET_RAW" "CAP_NET_RAW" #< required, else `libndp: ndp_sock_open: Failed to create ICMP6 socket.`
"CAP_NET_BIND_SERVICE" #< this *does* seem to be necessary, though i don't understand why. DHCP? "CAP_NET_BIND_SERVICE" #< this *does* seem to be necessary, though i don't understand why. DHCP?
# "CAP_SYS_MODULE" # "CAP_SYS_MODULE"
"CAP_AUDIT_WRITE" #< allow writing to the audit log # "CAP_AUDIT_WRITE" #< allow writing to the audit log (optional)
# "CAP_KILL" # "CAP_KILL"
]; ];
serviceConfig.LockPersonality = true;
serviceConfig.PrivateDevices = true; # remount /dev with just the basics, syscall filter to block @raw-io
serviceConfig.PrivateIPC = true;
# serviceConfig.PrivateUsers = true; #< BREAKS NetworkManager (presumably, it causes a new user namespace, breaking CAP_NET_ADMIN & others). "platform-linux: do-change-link[3]: failure 1 (Operation not permitted)"
serviceConfig.ProtectClock = true; # syscall filter to prevent changing the RTC
serviceConfig.ProtectControlGroups = true;
serviceConfig.ProtectHome = true; # makes empty: /home, /root, /run/user
serviceConfig.ProtectHostname = true; # probably not upstreamable: prevents changing hostname
serviceConfig.ProtectKernelLogs = true; # disable /proc/kmsg, /dev/kmsg
serviceConfig.ProtectKernelModules = true; # syscall filter to prevent module calls (probably not upstreamable: NM will want to load modules like `ppp`)
serviceConfig.ProtectKernelTunables = true; # but NM might need to write /proc/sys/net/...
serviceConfig.ProtectSystem = "full"; # makes read-only: /boot, /etc/, /usr. TODO: "strict" would make all but /dev, /proc, /sys inaccessible.
serviceConfig.RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK" # breaks near DHCP without this
"AF_PACKET" # for DHCP
"AF_UNIX"
# AF_ALG ?
# AF_BLUETOOTH ?
# AF_BRIDGE ?
# AF_NETLINK ?
# AF_PACKET ?
];
serviceConfig.RestrictSUIDSGID = true;
serviceConfig.SystemCallArchitectures = "native"; # prevents e.g. aarch64 syscalls in the event that the kernel is multi-architecture.
# TODO: it needs these directories: # TODO: it needs these directories:
# - "/proc/net" # - "/proc/net"
# - "/proc/sys/net" # - "/proc/sys/net"