nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-23 07:23:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

nixos/gns3-server: disable SystemD hardening

Browse Source
This commit is contained in:
Anthony ROUSSEL 2024-09-23 20:46:10 +02:00
parent 77edd2b066
commit c1104aee4d
2 changed files with 26 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
nixos/doc/manual/release-notes/rl-2411.section.md
View File

@ -298,6 +298,15 @@
a static `user` and `group`. The `writablePaths` option has been removed and a static `user` and `group`. The `writablePaths` option has been removed and
the models directory is now always exempt from sandboxing. the models directory is now always exempt from sandboxing.
- The `gns3-server` service now runs under the `gns3` system user
instead of a dynamically created one via `DynamicUser`.
The use of SUID wrappers is incompatible with SystemD's `DynamicUser` setting,
and GNS3 requires calling ubridge through its SUID wrapper to function properly.
This change requires to manually move the following directories:
* from `/var/lib/private/gns3` to `/var/lib/gns3`
* from `/var/log/private/gns3` to `/var/log/gns3`
and to change the ownership of these directories and their contents to `gns3` (including `/etc/gns3`).
- Legacy package `stalwart-mail_0_6` was dropped, please note the - Legacy package `stalwart-mail_0_6` was dropped, please note the
[manual upgrade process](https://github.com/stalwartlabs/mail-server/blob/main/UPGRADING.md) [manual upgrade process](https://github.com/stalwartlabs/mail-server/blob/main/UPGRADING.md)
before changing the package to `pkgs.stalwart-mail` in before changing the package to `pkgs.stalwart-mail` in

22
nixos/modules/services/networking/gns3-server.nix
View File

@ -233,14 +233,27 @@ in {
User = "gns3"; User = "gns3";
WorkingDirectory = "%S/gns3"; WorkingDirectory = "%S/gns3";
# Required for ubridge integration to work
#
# GNS3 needs to run SUID binaries (ubridge)
# but NoNewPrivileges breaks execution of SUID binaries
DynamicUser = false;
NoNewPrivileges = false;
RestrictSUIDSGID = false;
PrivateUsers = false;
# Hardening # Hardening
DeviceAllow = lib.optional flags.enableLibvirtd "/dev/kvm"; DeviceAllow = [
# ubridge needs access to tun/tap devices
"/dev/net/tap rw"
"/dev/net/tun rw"
] ++ lib.optionals flags.enableLibvirtd [
"/dev/kvm"
];
DevicePolicy = "closed"; DevicePolicy = "closed";
LockPersonality = true; LockPersonality = true;
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateTmp = true; PrivateTmp = true;
PrivateUsers = true;
# Don't restrict ProcSubset because python3Packages.psutil requires read access to /proc/stat # Don't restrict ProcSubset because python3Packages.psutil requires read access to /proc/stat
# ProcSubset = "pid"; # ProcSubset = "pid";
ProtectClock = true; ProtectClock = true;
@ -261,8 +274,7 @@ in {
]; ];
RestrictNamespaces = true; RestrictNamespaces = true;
RestrictRealtime = true; RestrictRealtime = true;
RestrictSUIDSGID = true; UMask = "0022";
UMask = "0077";
}; };
}; };
}; };