mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-26 00:43:20 +00:00
treewide: Remove ineffective capability grants. (#333533)
This commit is contained in:
Franz Pletz
GitHub
commit
0fc41ad977
@ -1,7 +1,7 @@
|
|||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (lib) getExe mkIf mkOption mkEnableOption optionals types;
|
inherit (lib) getExe mkIf mkOption mkEnableOption types;
|
||||||
|
|
||||||
cfg = config.services.mollysocket;
|
cfg = config.services.mollysocket;
|
||||||
configuration = format.generate "mollysocket.conf" cfg.settings;
|
configuration = format.generate "mollysocket.conf" cfg.settings;
|
||||||
@ -85,9 +85,7 @@ in {
|
|||||||
after = [ "network-online.target" ];
|
after = [ "network-online.target" ];
|
||||||
wants = [ "network-online.target" ];
|
wants = [ "network-online.target" ];
|
||||||
environment.RUST_LOG = cfg.logLevel;
|
environment.RUST_LOG = cfg.logLevel;
|
||||||
serviceConfig = let
|
serviceConfig = {
|
||||||
capabilities = [ "" ] ++ optionals (cfg.settings.port < 1024) [ "CAP_NET_BIND_SERVICE" ];
|
|
||||||
in {
|
|
||||||
EnvironmentFile = cfg.environmentFile;
|
EnvironmentFile = cfg.environmentFile;
|
||||||
ExecStart = "${getExe package} server";
|
ExecStart = "${getExe package} server";
|
||||||
KillSignal = "SIGINT";
|
KillSignal = "SIGINT";
|
||||||
@ -97,8 +95,6 @@ in {
|
|||||||
WorkingDirectory = "/var/lib/mollysocket";
|
WorkingDirectory = "/var/lib/mollysocket";
|
||||||
|
|
||||||
# hardening
|
# hardening
|
||||||
AmbientCapabilities = capabilities;
|
|
||||||
CapabilityBoundingSet = capabilities;
|
|
||||||
DevicePolicy = "closed";
|
DevicePolicy = "closed";
|
||||||
DynamicUser = true;
|
DynamicUser = true;
|
||||||
LockPersonality = true;
|
LockPersonality = true;
|
||||||
|
|||||||
@ -372,9 +372,6 @@ in
|
|||||||
SystemCallFilter = defaultServiceConfig.SystemCallFilter ++ [ "@setuid mbind" ];
|
SystemCallFilter = defaultServiceConfig.SystemCallFilter ++ [ "@setuid mbind" ];
|
||||||
# Needs to serve web page
|
# Needs to serve web page
|
||||||
PrivateNetwork = false;
|
PrivateNetwork = false;
|
||||||
} // lib.optionalAttrs (cfg.port < 1024) {
|
|
||||||
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
|
|
||||||
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
|
|
||||||
};
|
};
|
||||||
environment = env // {
|
environment = env // {
|
||||||
PYTHONPATH = "${cfg.package.python.pkgs.makePythonPath cfg.package.propagatedBuildInputs}:${cfg.package}/lib/paperless-ngx/src";
|
PYTHONPATH = "${cfg.package.python.pkgs.makePythonPath cfg.package.propagatedBuildInputs}:${cfg.package}/lib/paperless-ngx/src";
|
||||||
|
|||||||
@ -119,9 +119,6 @@ in
|
|||||||
# gunicorn needs setuid
|
# gunicorn needs setuid
|
||||||
SystemCallFilter = [ "@system-service" "~@privileged" "@resources" "@setuid" "@keyring" ];
|
SystemCallFilter = [ "@system-service" "~@privileged" "@resources" "@setuid" "@keyring" ];
|
||||||
UMask = "0066";
|
UMask = "0066";
|
||||||
} // lib.optionalAttrs (cfg.port < 1024) {
|
|
||||||
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
|
|
||||||
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
|||||||
@ -69,7 +69,6 @@ in
|
|||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
environment = mapAttrs (_: v: if isBool v then boolToString v else toString v) cfg.settings;
|
environment = mapAttrs (_: v: if isBool v then boolToString v else toString v) cfg.settings;
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
|
|
||||||
DevicePolicy = "closed";
|
DevicePolicy = "closed";
|
||||||
DynamicUser = true;
|
DynamicUser = true;
|
||||||
ExecStart = "${getExe cfg.package} --provider ${cfg.provider}";
|
ExecStart = "${getExe cfg.package} --provider ${cfg.provider}";
|
||||||
|
|||||||
@ -126,7 +126,6 @@ in
|
|||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
environment = mapAttrs (_: v: if isBool v then boolToString v else toString v) cfg.settings;
|
environment = mapAttrs (_: v: if isBool v then boolToString v else toString v) cfg.settings;
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
|
|
||||||
DevicePolicy = "closed";
|
DevicePolicy = "closed";
|
||||||
DynamicUser = true;
|
DynamicUser = true;
|
||||||
ExecStart = "${getExe cfg.package}";
|
ExecStart = "${getExe cfg.package}";
|
||||||
|
|||||||
@ -1834,8 +1834,6 @@ in
|
|||||||
StateDirectory = cfg.stateDir;
|
StateDirectory = cfg.stateDir;
|
||||||
StateDirectoryMode = "0700";
|
StateDirectoryMode = "0700";
|
||||||
# Hardening
|
# Hardening
|
||||||
AmbientCapabilities = lib.mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ];
|
|
||||||
CapabilityBoundingSet = if (cfg.port < 1024) then [ "CAP_NET_BIND_SERVICE" ] else [ "" ];
|
|
||||||
DeviceAllow = [ "/dev/null rw" ];
|
DeviceAllow = [ "/dev/null rw" ];
|
||||||
DevicePolicy = "strict";
|
DevicePolicy = "strict";
|
||||||
LockPersonality = true;
|
LockPersonality = true;
|
||||||
|
|||||||
@ -80,7 +80,6 @@ in
|
|||||||
];
|
];
|
||||||
|
|
||||||
RuntimeDirectory = "dex";
|
RuntimeDirectory = "dex";
|
||||||
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
|
|
||||||
BindReadOnlyPaths = [
|
BindReadOnlyPaths = [
|
||||||
"/nix/store"
|
"/nix/store"
|
||||||
"-/etc/dex"
|
"-/etc/dex"
|
||||||
@ -91,7 +90,6 @@ in
|
|||||||
"-/etc/ssl/certs/ca-certificates.crt"
|
"-/etc/ssl/certs/ca-certificates.crt"
|
||||||
];
|
];
|
||||||
BindPaths = optional (cfg.settings.storage.type == "postgres") "/var/run/postgresql";
|
BindPaths = optional (cfg.settings.storage.type == "postgres") "/var/run/postgresql";
|
||||||
CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
|
|
||||||
# ProtectClock= adds DeviceAllow=char-rtc r
|
# ProtectClock= adds DeviceAllow=char-rtc r
|
||||||
DeviceAllow = "";
|
DeviceAllow = "";
|
||||||
DynamicUser = true;
|
DynamicUser = true;
|
||||||
|
|||||||
@ -164,7 +164,6 @@ in
|
|||||||
let
|
let
|
||||||
defaultServiceConfig = {
|
defaultServiceConfig = {
|
||||||
ReadWritePaths = "${cfg.dataDir}";
|
ReadWritePaths = "${cfg.dataDir}";
|
||||||
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
|
|
||||||
DeviceAllow = "";
|
DeviceAllow = "";
|
||||||
LockPersonality = true;
|
LockPersonality = true;
|
||||||
NoNewPrivileges = true;
|
NoNewPrivileges = true;
|
||||||
|
|||||||
@ -61,7 +61,6 @@ in
|
|||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
environment = lib.mapAttrs (_: v: if lib.isBool v then lib.boolToString v else toString v) cfg.settings;
|
environment = lib.mapAttrs (_: v: if lib.isBool v then lib.boolToString v else toString v) cfg.settings;
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
|
|
||||||
DevicePolicy = "closed";
|
DevicePolicy = "closed";
|
||||||
DynamicUser = true;
|
DynamicUser = true;
|
||||||
EnvironmentFile = lib.optional (cfg.passwordFile != null) cfg.passwordFile;
|
EnvironmentFile = lib.optional (cfg.passwordFile != null) cfg.passwordFile;
|
||||||
|
|||||||
@ -109,7 +109,6 @@ in
|
|||||||
LoadCredential = lib.optionalString (cfg.passwordFile != null)
|
LoadCredential = lib.optionalString (cfg.passwordFile != null)
|
||||||
"PHOTOPRISM_ADMIN_PASSWORD:${cfg.passwordFile}";
|
"PHOTOPRISM_ADMIN_PASSWORD:${cfg.passwordFile}";
|
||||||
|
|
||||||
CapabilityBoundingSet = "";
|
|
||||||
LockPersonality = true;
|
LockPersonality = true;
|
||||||
PrivateDevices = true;
|
PrivateDevices = true;
|
||||||
PrivateUsers = true;
|
PrivateUsers = true;
|
||||||
@ -126,9 +125,6 @@ in
|
|||||||
SystemCallArchitectures = "native";
|
SystemCallArchitectures = "native";
|
||||||
SystemCallFilter = [ "@system-service" "~@setuid @keyring" ];
|
SystemCallFilter = [ "@system-service" "~@setuid @keyring" ];
|
||||||
UMask = "0066";
|
UMask = "0066";
|
||||||
} // lib.optionalAttrs (cfg.port < 1024) {
|
|
||||||
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
|
|
||||||
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
|||||||
@ -87,7 +87,6 @@ in
|
|||||||
User = "powerdnsadmin";
|
User = "powerdnsadmin";
|
||||||
Group = "powerdnsadmin";
|
Group = "powerdnsadmin";
|
||||||
|
|
||||||
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
|
|
||||||
BindReadOnlyPaths = [
|
BindReadOnlyPaths = [
|
||||||
"/nix/store"
|
"/nix/store"
|
||||||
"-/etc/resolv.conf"
|
"-/etc/resolv.conf"
|
||||||
@ -97,7 +96,6 @@ in
|
|||||||
]
|
]
|
||||||
++ (optional (cfg.secretKeyFile != null) cfg.secretKeyFile)
|
++ (optional (cfg.secretKeyFile != null) cfg.secretKeyFile)
|
||||||
++ (optional (cfg.saltFile != null) cfg.saltFile);
|
++ (optional (cfg.saltFile != null) cfg.saltFile);
|
||||||
CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
|
|
||||||
# ProtectClock= adds DeviceAllow=char-rtc r
|
# ProtectClock= adds DeviceAllow=char-rtc r
|
||||||
DeviceAllow = "";
|
DeviceAllow = "";
|
||||||
# Implies ProtectSystem=strict, which re-mounts all paths
|
# Implies ProtectSystem=strict, which re-mounts all paths
|
||||||
|
|||||||
@ -90,7 +90,6 @@ in {
|
|||||||
"/var/run/mysqld";
|
"/var/run/mysqld";
|
||||||
|
|
||||||
CapabilityBoundingSet = "";
|
CapabilityBoundingSet = "";
|
||||||
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
|
|
||||||
|
|
||||||
DeviceAllow = "";
|
DeviceAllow = "";
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user