nixos/home-assistant: allow netlink sockets and /proc/net inspection

Since v2021.5.0 home-assistant uses the ifaddr library in the zeroconf
component to enumerate network interfaces via netlink. Since discovery
is all over the place lets allow AF_NETLINK unconditionally.

It also relies on pyroute2 now, which additionally tries to access files
in /proc/net, so we relax ProtectProc a bit by default as well.

This leaves us with these options unsecured:

✗ PrivateNetwork=                                             Service has access to the host's network                                                                 0.5
✗ RestrictAddressFamilies=~AF_(INET|INET6)                    Service may allocate Internet sockets                                                                    0.3
✗ DeviceAllow=                                                Service has a device ACL with some special devices                                                       0.1
✗ IPAddressDeny=                                              Service does not define an IP address allow list                                                         0.2
✗ PrivateDevices=                                             Service potentially has access to hardware devices                                                       0.2
✗ PrivateUsers=                                               Service has access to other users                                                                        0.2
✗ SystemCallFilter=~@resources                                System call allow list defined for service, and @resources is included (e.g. ioprio_set is allowed)      0.2
✗ RestrictAddressFamilies=~AF_NETLINK                         Service may allocate netlink sockets                                                                     0.1
✗ RootDirectory=/RootImage=                                   Service runs within the host's root directory                                                            0.1
✗ SupplementaryGroups=                                        Service runs with supplementary groups                                                                   0.1
✗ RestrictAddressFamilies=~AF_UNIX                            Service may allocate local sockets                                                                       0.1
✗ ProcSubset=                                                 Service has full access to non-process /proc files (/proc subset=)                                       0.1

→ Overall exposure level for home-assistant.service: 1.6 OK 🙂
This commit is contained in:
Martin Weinelt 2021-05-06 16:44:16 +02:00
parent 3bab9a19ad
commit 24adc01e2e
No known key found for this signature in database
GPG Key ID: 87C1E9888F856759

View File

@ -298,7 +298,7 @@ in {
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProcSubset = "pid";
ProcSubset = "all";
ProtectSystem = "strict";
RemoveIPC = true;
ReadWritePaths = let
@ -308,9 +308,10 @@ in {
allowPaths = if isList value then value else singleton value;
in [ "${cfg.configDir}" ] ++ allowPaths;
RestrictAddressFamilies = [
"AF_UNIX"
"AF_INET"
"AF_INET6"
"AF_NETLINK"
"AF_UNIX"
] ++ optionals (useComponent "bluetooth_tracker" || useComponent "bluetooth_le_tracker") [
"AF_BLUETOOTH"
];