Merge pull request #321987 from thiagokokada/rtorrent-add-hardening

nixos/rtorrent: add systemd hardening configuration
2024-11-22 23:13:19 +00:00 · 2024-06-25 02:34:42 +01:00 · 2024-06-25 02:34:42 +01:00 · 30c578e589
commit 30c578e589
parent 37081c3406 406ebf3ad6
4 changed files with 59 additions and 2 deletions
--- a/nixos/modules/services/torrent/rtorrent.nix
+++ b/nixos/modules/services/torrent/rtorrent.nix
@ -8,6 +8,8 @@ let
  opt = options.services.rtorrent;

 in {
+  meta.maintainers = with lib.maintainers; [ thiagokokada ];
+
  options.services.rtorrent = {
    enable = mkEnableOption "rtorrent";

@ -202,7 +204,31 @@ in {
            ExecStartPre=''${pkgs.bash}/bin/bash -c "if test -e ${cfg.dataDir}/session/rtorrent.lock && test -z $(${pkgs.procps}/bin/pidof rtorrent); then rm -f ${cfg.dataDir}/session/rtorrent.lock; fi"'';
            ExecStart="${cfg.package}/bin/rtorrent -n -o system.daemon.set=true -o import=${rtorrentConfigFile}";
            RuntimeDirectory = "rtorrent";
-            RuntimeDirectoryMode = 755;
+            RuntimeDirectoryMode = 750;
+
+            CapabilityBoundingSet = [ "" ];
+            LockPersonality = true;
+            NoNewPrivileges = true;
+            PrivateDevices = true;
+            PrivateTmp = true;
+            ProtectClock = true;
+            ProtectControlGroups = true;
+            # If the default user is changed, there is a good chance that they
+            # want to store data in e.g.: $HOME directory
+            # Relax hardening in this case
+            ProtectHome = lib.mkIf (cfg.user == "rtorrent") true;
+            ProtectHostname = true;
+            ProtectKernelLogs = true;
+            ProtectKernelModules = true;
+            ProtectKernelTunables = true;
+            ProtectProc = "invisible";
+            ProtectSystem = "full";
+            RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
+            RestrictNamespaces = true;
+            RestrictRealtime = true;
+            RestrictSUIDSGID = true;
+            SystemCallArchitectures = "native";
+            SystemCallFilter = [ "@system-service" "~@privileged" ];
          };
        };
      };
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@ -824,6 +824,7 @@ in {
  rstudio-server = handleTest ./rstudio-server.nix {};
  rsyncd = handleTest ./rsyncd.nix {};
  rsyslogd = handleTest ./rsyslogd.nix {};
+  rtorrent = handleTest ./rtorrent.nix {};
  rxe = handleTest ./rxe.nix {};
  sabnzbd = handleTest ./sabnzbd.nix {};
  samba = handleTest ./samba.nix {};
--- a/nixos/tests/rtorrent.nix
+++ b/nixos/tests/rtorrent.nix
@ -0,0 +1,25 @@
+import ./make-test-python.nix ({ pkgs, ... }:
+let
+  port = 50001;
+in
+{
+  name = "rtorrent";
+  meta = {
+    maintainers = with pkgs.lib.maintainers; [ thiagokokada ];
+  };
+
+  nodes.machine = { pkgs, ... }: {
+    services.rtorrent = {
+      inherit port;
+      enable = true;
+    };
+  };
+
+  testScript = /* python */ ''
+    machine.start()
+    machine.wait_for_unit("rtorrent.service")
+    machine.wait_for_open_port(${toString port})
+
+    machine.succeed("nc -z localhost ${toString port}")
+  '';
+})
--- a/pkgs/applications/networking/p2p/rakshasa-rtorrent/default.nix
+++ b/pkgs/applications/networking/p2p/rakshasa-rtorrent/default.nix
@ -13,9 +13,10 @@
 , pkg-config
 , xmlrpc_c
 , zlib
+, nixosTests
 }:

-stdenv.mkDerivation rec {
+stdenv.mkDerivation {
  pname = "rakshasa-rtorrent";
  version = "0.9.8+date=2022-06-20";

@ -53,6 +54,10 @@ stdenv.mkDerivation rec {
    "--with-posix-fallocate"
  ];

+  passthru.tests = {
+    inherit (nixosTests) rtorrent;
+  };
+
  enableParallelBuilding = true;

  postInstall = ''