From 9b4e91fbd91ae731d334785d4c27b177e8bb3384 Mon Sep 17 00:00:00 2001 From: Colin Date: Sat, 3 Aug 2024 16:27:42 +0000 Subject: [PATCH] /mnt/$host/home: harden systemd settings --- hosts/common/fs.nix | 32 +++++++++++++++++++++++++++++--- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/hosts/common/fs.nix b/hosts/common/fs.nix index 996d47fb7..2e9332c20 100644 --- a/hosts/common/fs.nix +++ b/hosts/common/fs.nix @@ -132,11 +132,38 @@ let mount.depends = [ "network-online.target" ]; mount.mountConfig.ExecSearchPath = [ "/run/current-system/sw/bin" ]; mount.mountConfig.User = "colin"; - mount.mountConfig.Group = "users"; mount.mountConfig.AmbientCapabilities = "CAP_SETPCAP CAP_SYS_ADMIN"; - # hardening (systemd-analyze security mnt-desko-home.mount): TODO + # hardening (systemd-analyze security mnt-desko-home.mount): + # TODO: i can't use ProtectSystem=full here, because i can't create a new mount space; but... + # with drop_privileges, i *could* sandbox the actual `sshfs` program using e.g. bwrap mount.mountConfig.CapabilityBoundingSet = "CAP_SETPCAP CAP_SYS_ADMIN"; + mount.mountConfig.LockPersonality = true; + mount.mountConfig.MemoryDenyWriteExecute = true; mount.mountConfig.NoNewPrivileges = true; + mount.mountConfig.ProtectClock = true; + mount.mountConfig.ProtectHostname = true; + mount.mountConfig.RemoveIPC = true; + mount.mountConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; + #VVV this includes anything it reads from, e.g. /bin/sh; /nix/store/... + # see `systemd-analyze filesystems` for a full list + mount.mountConfig.RestrictFileSystems = "@common-block @basic-api fuse"; + mount.mountConfig.RestrictNamespaces = true; + mount.mountConfig.RestrictRealtime = true; + mount.mountConfig.RestrictSUIDSGID = true; + mount.mountConfig.SystemCallArchitectures = "native"; + mount.mountConfig.SystemCallFilter = [ + "@system-service" + "@mount" + "~@chown" + "~@cpu-emulation" + "~@keyring" + # could remove almost all io calls, however one has to keep `open`, and `write`, to communicate with the fuse device. + # so that's pretty useless as a way to prevent write access + ]; + mount.mountConfig.IPAddressDeny = "any"; + mount.mountConfig.IPAddressAllow = "10.0.0.0/8"; + mount.mountConfig.DevicePolicy = "closed"; # only allow /dev/{null,zero,full,random,urandom} + mount.mountConfig.DeviceAllow = "/dev/fuse"; }; }; remoteServo = subdir: let @@ -165,7 +192,6 @@ let mount.mountConfig.TimeoutSec = "10s"; mount.mountConfig.User = "colin"; - mount.mountConfig.Group = "users"; mount.mountConfig.AmbientCapabilities = "CAP_SYS_ADMIN"; # hardening (systemd-analyze security mnt-servo-playground.mount) mount.mountConfig.CapabilityBoundingSet = "CAP_SYS_ADMIN";