From 8c256c629b8608c17c471df2d04505a58c301207 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Mon, 3 Jun 2024 16:23:22 +0000
Subject: [PATCH] networkmanager: harden further with NoNewPrivileges and
 PrivateTmp

---
 hosts/common/net/networkmanager.nix | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/hosts/common/net/networkmanager.nix b/hosts/common/net/networkmanager.nix
index fb1a48a2..b0d4366a 100644
--- a/hosts/common/net/networkmanager.nix
+++ b/hosts/common/net/networkmanager.nix
@@ -68,8 +68,10 @@ in {
       # "CAP_KILL"
     ];
     serviceConfig.LockPersonality = true;
+    serviceConfig.NoNewPrivileges = true;
     serviceConfig.PrivateDevices = true;  # remount /dev with just the basics, syscall filter to block @raw-io
     serviceConfig.PrivateIPC = true;
+    serviceConfig.PrivateTmp = true;
     # serviceConfig.PrivateUsers = true;  #< BREAKS NetworkManager (presumably, it causes a new user namespace, breaking CAP_NET_ADMIN & others).  "platform-linux: do-change-link[3]: failure 1 (Operation not permitted)"
     serviceConfig.ProtectClock = true;  # syscall filter to prevent changing the RTC
     serviceConfig.ProtectControlGroups = true;
@@ -125,8 +127,10 @@ in {
     serviceConfig.User = "networkmanager";  # TODO: should arguably use `DynamicUser`
     serviceConfig.Group = "networkmanager";
     serviceConfig.LockPersonality = true;
+    serviceConfig.NoNewPrivileges = true;
     serviceConfig.PrivateDevices = true;  # remount /dev with just the basics, syscall filter to block @raw-io
     serviceConfig.PrivateIPC = true;
+    serviceConfig.PrivateTmp = true;
     serviceConfig.PrivateUsers = true;
     serviceConfig.ProtectClock = true;  # syscall filter to prevent changing the RTC
     serviceConfig.ProtectControlGroups = true;
@@ -152,8 +156,10 @@ in {
       "CAP_NET_RAW"
     ];
     serviceConfig.LockPersonality = true;
+    serviceConfig.NoNewPrivileges = true;
     # serviceConfig.PrivateDevices = true;  # untried, not likely to work. remount /dev with just the basics, syscall filter to block @raw-io
     serviceConfig.PrivateIPC = true;
+    serviceConfig.PrivateTmp = true;
     # serviceConfig.PrivateUsers = true;  #< untried, not likely to work
     serviceConfig.ProtectClock = true;  # syscall filter to prevent changing the RTC
     serviceConfig.ProtectControlGroups = true;