colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

fs: persist/private: harden systemd mount file

Browse Source
This commit is contained in:
Colin
2024-08-02 05:17:44 +00:00
parent 6e5bde17aa
commit 96dfe79a8c
2 changed files with 36 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
modules/persist/stores/ephemeral.nix
View File

@@ -63,7 +63,7 @@ lib.mkIf config.sane.persist.enable
type = fsEntry.fsType;
options = lib.concatStringsSep "," fsEntry.options;
# sandbox options
# hardening (systemd-analyze security mnt-persist-ephemeral.mount)
mountConfig.AmbientCapabilities = "";
# CAP_LEASE is probably not necessary -- does any fs user use leases?
mountConfig.CapabilityBoundingSet = "CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_CHOWN CAP_MKNOD CAP_LEASE CAP_SETGID CAP_SETUID CAP_FOWNER";
@@ -84,7 +84,6 @@ lib.mkIf config.sane.persist.enable
mountConfig.SystemCallArchitectures = "native";
mountConfig.SystemCallFilter = [
# unfortunately, i need to keep @network-io (accept, bind, connect, listen, recv, send, socket, ...). not sure why (daemon control socket?).
# TODO: @module?
"@system-service" "@mount" "~@cpu-emulation" "~@keyring"
];
mountConfig.IPAddressDeny = "any";

35
modules/persist/stores/private.nix
View File

@@ -125,6 +125,41 @@ lib.mkIf config.sane.persist.enable
mode = "0700";
};
systemd.mounts = let
fsEntry = config.fileSystems."${origin}";
in [{
#VVV repeat what systemd would ordinarily scrape from /etc/fstab
where = origin;
what = fsEntry.device;
type = fsEntry.fsType;
options = lib.concatStringsSep "," fsEntry.options;
# hardening (systemd-analyze security mnt-persist-private.mount)
mountConfig.AmbientCapabilities = "";
# CAP_LEASE is probably not necessary -- does any fs user use leases?
mountConfig.CapabilityBoundingSet = "CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_CHOWN CAP_MKNOD CAP_LEASE CAP_SETGID CAP_SETUID CAP_FOWNER";
mountConfig.LockPersonality = true;
mountConfig.MemoryDenyWriteExecute = true;
mountConfig.NoNewPrivileges = true;
mountConfig.ProtectClock = true;
mountConfig.ProtectHostname = true;
mountConfig.RemoveIPC = true;
mountConfig.RestrictAddressFamilies = "AF_UNIX"; # "none" works, but then it can't connect to the logger
mountConfig.RestrictNamespaces = true;
mountConfig.RestrictNetworkInterfaces = "";
mountConfig.RestrictRealtime = true;
mountConfig.RestrictSUIDSGID = true;
mountConfig.SystemCallArchitectures = "native";
mountConfig.SystemCallFilter = [
# unfortunately, i need to keep @network-io (accept, bind, connect, listen, recv, send, socket, ...). not sure why (daemon control socket?).
"@system-service" "@mount" "~@cpu-emulation" "~@keyring"
];
mountConfig.IPAddressDeny = "any";
mountConfig.DevicePolicy = "closed"; # only allow /dev/{null,zero,full,random,urandom}
mountConfig.DeviceAllow = "/dev/fuse";
mountConfig.SocketBindDeny = "any";
}];
system.fsPackages = [ gocryptfs-private ];
sane.user.services.gocryptfs-private = {