networkmanager: tighten ProtectSystem to "strict"

2024-06-03 15:09:53 +00:00 · 2024-06-03 15:09:53 +00:00 · a1e923f999
commit a1e923f999
parent 09333c992c
1 changed files with 3 additions and 5 deletions
--- a/hosts/common/net/networkmanager.nix
+++ b/hosts/common/net/networkmanager.nix
@ -78,7 +78,7 @@ in {
    serviceConfig.ProtectKernelLogs = true;  # disable /proc/kmsg, /dev/kmsg
    serviceConfig.ProtectKernelModules = true;  # syscall filter to prevent module calls (probably not upstreamable: NM will want to load modules like `ppp`)
    serviceConfig.ProtectKernelTunables = true;  # but NM might need to write /proc/sys/net/...
-    serviceConfig.ProtectSystem = "full";  # makes read-only: /boot, /etc/, /usr. TODO: "strict" would make all but /dev, /proc, /sys inaccessible.
+    serviceConfig.ProtectSystem = "strict";  # makes read-only: all but /dev, /proc, /sys.
    serviceConfig.RestrictAddressFamilies = [
      "AF_INET"
      "AF_INET6"
@ -88,19 +88,17 @@ in {
      # AF_ALG ?
      # AF_BLUETOOTH ?
      # AF_BRIDGE ?
-      # AF_NETLINK ?
-      # AF_PACKET ?
    ];
    serviceConfig.RestrictSUIDSGID = true;
    serviceConfig.SystemCallArchitectures = "native";  # prevents e.g. aarch64 syscalls in the event that the kernel is multi-architecture.
-    # TODO: it needs these directories:
+    # from earlier `landlock` sandboxing, i know it needs these directories:
    # - "/proc/net"
    # - "/proc/sys/net"
    # - "/run/NetworkManager"
    # - "/run/systemd"  # for trust-dns-nmhook
    # - "/run/udev"
    # - # "/run/wg-home.priv"
-    # - "/sys/class"  #< TODO: specify this more precisely
+    # - "/sys/class"
    # - "/sys/devices"
    # - "/var/lib/NetworkManager"
    # - "/var/lib/trust-dns"  #< for trust-dns-nmhook