rsync-net: harden systemd service, and dodge the "pasta doesnt support root" bug

hosts/modules/services/rsync-net/default.nix

@@ -38,7 +38,39 @@ in
       serviceConfig.Type = "simple";
       serviceConfig.Restart = "no";
       serviceConfig.User = "colin";
-      serviceConfig.Group = "users";
+
+      # hardening
+      serviceConfig.AmbientCapabilities = [
+        # needs to be able to read files owned by any user
+        "CAP_DAC_READ_SEARCH"
+      ];
+      serviceConfig.CapabilityBoundingSet = [ "CAP_DAC_READ_SEARCH" ];
+      serviceConfig.ReadWritePaths = builtins.map (d: "${d}/zzz-rsync-net") cfg.dirs;
+      serviceConfig.ReadOnlyPaths = "/nix/persist/private";
+      serviceConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
+
+      serviceConfig.LockPersonality = true;
+      serviceConfig.MemoryDenyWriteExecute = true;
+      serviceConfig.PrivateMounts = true;
+      serviceConfig.PrivateUsers = true;
+      serviceConfig.ProcSubset = "pid";
+      serviceConfig.ProtectClock = "true";
+      serviceConfig.ProtectControlGroups = true;
+      serviceConfig.ProtectHome = true;
+      serviceConfig.ProtectHostname = true;
+      serviceConfig.ProtectKernelLogs = true;
+      serviceConfig.ProtectKernelModules = true;
+      serviceConfig.ProtectKernelTunables = true;
+      serviceConfig.ProtectProc = "invisible";
+      serviceConfig.ProtectSystem = "strict";
+      serviceConfig.RemoveIPC = true;
+      serviceConfig.RestrictSUIDSGID = true;
+      serviceConfig.SystemCallArchitectures = "native";
+      serviceConfig.SystemCallFilter = "@system-service @mount";
+      # hardening exceptions:
+      serviceConfig.NoNewPrivileges = false;  #< bwrap'd dac_read_search
+      serviceConfig.PrivateDevices = false;  #< passt/pasta
+      serviceConfig.RestrictNamespaces = false;  #< bwrap
     };
     systemd.timers.rsync-net = {
       wantedBy = [ "multi-user.target" ];

hosts/modules/services/rsync-net/sane-backup-rsync-net

@@ -24,11 +24,14 @@ for dir in "$@"; do
 
   now=$(date '+%s')
   echo "syncing '$dir' to '$remote_dir'"
-  echo "$now" > "$dir"/zzz-rsync-net-last-attempted
-  # N.B.: the `--exclude=$RN_ID` flag is a noop to get the ID file to be included in the sandbox...
+  echo "$now" > "$dir"/zzz-rsync-net/last-attempted
   # N.B.: manual flags instead of `-a -> -rlptgoD` because device files have a max path length which is too restricted
-  if sane-vpn do unmetered -- rsync --exclude="$RN_ID" -e "ssh -i $RN_ID" --mkpath -rlptgov --delete "$dir" "$remote_dir"; then
-    echo "$now" > "$dir"/zzz-rsync-net-last-completed
+  # if SANEBOX_PREPEND="--sanebox-disable" \
+  if SANEBOX_PREPEND="--sanebox-cap dac_read_search --sanebox-path $RN_ID" \
+    sane-vpn do unmetered -- \
+    rsync --exclude="$RN_ID" -e "ssh -i $RN_ID" --mkpath -rlptgov --delete "$dir" "$remote_dir"; \
+  then
+    echo "$now" > "$dir"/zzz-rsync-net/last-completed
     rc=0$rc
   else
     rc=1

scripts/check-backups

@@ -16,8 +16,8 @@ ssh -i "$RN_ID" "$RN_USER@$RN_USER.rsync.net" ls -al
 for host in desko lappy moby servo; do
   dir=nix/persist/private
   now=$(date +'%s')
-  last_attempted=$(ssh -i "$RN_ID" "$RN_USER@$RN_USER.rsync.net" -- cat "$host/$dir/zzz-rsync-net-last-attempted")
-  last_completed=$(ssh -i "$RN_ID" "$RN_USER@$RN_USER.rsync.net" -- cat "$host/$dir/zzz-rsync-net-last-completed")
+  last_attempted=$(ssh -i "$RN_ID" "$RN_USER@$RN_USER.rsync.net" -- cat "$host/$dir/zzz-rsync-net/last-attempted")
+  last_completed=$(ssh -i "$RN_ID" "$RN_USER@$RN_USER.rsync.net" -- cat "$host/$dir/zzz-rsync-net/last-completed")
   age_attempted=$(( "$now" - "${last_attempted:-0}" ))
   age_completed=$(( "$now" - "${last_completed:-0}" ))
   if ! [[ "$age_completed" -lt 432000 ]]; then