From e2a1e6730d7749738b6b8974ae440326de20f47b Mon Sep 17 00:00:00 2001 From: Colin Date: Mon, 3 Jun 2024 15:31:50 +0000 Subject: [PATCH] NetworkManager-dispatcher: harden systemd service --- hosts/common/net/networkmanager.nix | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/hosts/common/net/networkmanager.nix b/hosts/common/net/networkmanager.nix index 4468930a..ac32ace4 100644 --- a/hosts/common/net/networkmanager.nix +++ b/hosts/common/net/networkmanager.nix @@ -120,9 +120,26 @@ in { # ]; # serviceConfig.Restart = "always"; # serviceConfig.RestartSec = "1s"; - serviceConfig.User = "networkmanager"; + + serviceConfig.User = "networkmanager"; # TODO: should arguably use `DynamicUser` serviceConfig.Group = "networkmanager"; - # TODO: it needs access only to the above mentioned directories + serviceConfig.LockPersonality = true; + serviceConfig.PrivateDevices = true; # remount /dev with just the basics, syscall filter to block @raw-io + serviceConfig.PrivateIPC = true; + serviceConfig.PrivateUsers = true; + serviceConfig.ProtectClock = true; # syscall filter to prevent changing the RTC + serviceConfig.ProtectControlGroups = true; + serviceConfig.ProtectHome = true; # makes empty: /home, /root, /run/user + serviceConfig.ProtectHostname = true; # probably not upstreamable: prevents changing hostname + serviceConfig.ProtectKernelLogs = true; # disable /proc/kmsg, /dev/kmsg + serviceConfig.ProtectKernelModules = true; # syscall filter to prevent module calls + serviceConfig.ProtectKernelTunables = true; + serviceConfig.ProtectSystem = "full"; # makes read-only: /boot, /etc/, /usr. `strict` isn't possible due to trust-dns hook + serviceConfig.RestrictAddressFamilies = [ + "AF_UNIX" # required, probably for dbus or systemd connectivity + ]; + serviceConfig.RestrictSUIDSGID = true; + serviceConfig.SystemCallArchitectures = "native"; # prevents e.g. aarch64 syscalls in the event that the kernel is multi-architecture. }; # harden wpa_supplicant (used by NetworkManager)