From 854a65fd471794c11af7a0901e6115515e447390 Mon Sep 17 00:00:00 2001 From: piegames Date: Tue, 11 Jan 2022 22:35:06 +0100 Subject: [PATCH 1/3] nixos/heisenbridge: Improve hardening MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Systemd score is "1.6 OK 🙂" --- nixos/modules/services/misc/heisenbridge.nix | 36 ++++++++++++++------ 1 file changed, 25 insertions(+), 11 deletions(-) diff --git a/nixos/modules/services/misc/heisenbridge.nix b/nixos/modules/services/misc/heisenbridge.nix index 353a2781d28b..93bb70edb438 100644 --- a/nixos/modules/services/misc/heisenbridge.nix +++ b/nixos/modules/services/misc/heisenbridge.nix @@ -172,25 +172,39 @@ in ++ (map (lib.escapeShellArg) cfg.extraArgs) ); - ProtectHome = true; - PrivateDevices = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectControlGroups = true; - StateDirectory = "heisenbridge"; - StateDirectoryMode = "755"; + # Hardening options User = "heisenbridge"; Group = "heisenbridge"; + RuntimeDirectory = "heisenbridge"; + RuntimeDirectoryMode = "0755"; + StateDirectory = "heisenbridge"; + StateDirectoryMode = "755"; - CapabilityBoundingSet = [ "CAP_CHOWN" ] ++ optional (cfg.port < 1024 || cfg.identd.port < 1024) "CAP_NET_BIND_SERVICE"; + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectHostname = true; + ProtectClock = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + RestrictNamespaces = true; + RemoveIPC = true; + UMask = "0077"; + + CapabilityBoundingSet = [ "CAP_CHOWN" ] ++ optional (cfg.port < 1024 || (cfg.identd.enable && cfg.identd.port < 1024)) "CAP_NET_BIND_SERVICE"; AmbientCapabilities = CapabilityBoundingSet; NoNewPrivileges = true; - LockPersonality = true; RestrictRealtime = true; - PrivateMounts = true; - SystemCallFilter = "~@aio @clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @setuid @swap"; + SystemCallFilter = "@system-service"; SystemCallArchitectures = "native"; RestrictAddressFamilies = "AF_INET AF_INET6"; }; From 4b165e7675f27efe8e4ac0fabed4faa2dc3d3492 Mon Sep 17 00:00:00 2001 From: piegames Date: Thu, 13 Jan 2022 13:28:31 +0100 Subject: [PATCH 2/3] nixos/heisenbridge: Fix/improve enable option description See https://github.com/NixOS/nixpkgs/pull/154831#discussion_r783858597 for context --- nixos/modules/services/misc/heisenbridge.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/services/misc/heisenbridge.nix b/nixos/modules/services/misc/heisenbridge.nix index 93bb70edb438..79af5f42766c 100644 --- a/nixos/modules/services/misc/heisenbridge.nix +++ b/nixos/modules/services/misc/heisenbridge.nix @@ -23,7 +23,7 @@ let in { options.services.heisenbridge = { - enable = mkEnableOption "A bouncer-style Matrix IRC bridge"; + enable = mkEnableOption "the Matrix to IRC bridge"; package = mkOption { type = types.package; From d9172e7a1ad77f08d05e82a2298e7615dd826653 Mon Sep 17 00:00:00 2001 From: piegames Date: Thu, 13 Jan 2022 23:33:23 +0100 Subject: [PATCH 3/3] fixup! nixos/heisenbridge: Improve hardening --- nixos/modules/services/misc/heisenbridge.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nixos/modules/services/misc/heisenbridge.nix b/nixos/modules/services/misc/heisenbridge.nix index 79af5f42766c..7ce8a23d9af1 100644 --- a/nixos/modules/services/misc/heisenbridge.nix +++ b/nixos/modules/services/misc/heisenbridge.nix @@ -177,9 +177,9 @@ in User = "heisenbridge"; Group = "heisenbridge"; RuntimeDirectory = "heisenbridge"; - RuntimeDirectoryMode = "0755"; + RuntimeDirectoryMode = "0700"; StateDirectory = "heisenbridge"; - StateDirectoryMode = "755"; + StateDirectoryMode = "0755"; ProtectSystem = "strict"; ProtectHome = true; @@ -204,7 +204,7 @@ in NoNewPrivileges = true; LockPersonality = true; RestrictRealtime = true; - SystemCallFilter = "@system-service"; + SystemCallFilter = ["@system-service" "~@priviledged" "@chown"]; SystemCallArchitectures = "native"; RestrictAddressFamilies = "AF_INET AF_INET6"; };