nixos/unbound: remove setuid/gid capability

If username is set, then unbound will try to become that user using `setusercontext`. But this is pointless since we are already instructing systemd to launch unbound with that user. So force username to be empty, which disables this behaviour in unbound. This allows us to remove the capability granted, and also tighten the syscall filter.
2024-11-28 09:53:10 +00:00 · 2023-11-05 20:48:21 +00:00 · 2023-11-05 20:48:21 +00:00 · de6c5343b6
commit de6c5343b6
parent c70614c0a4
1 changed files with 3 additions and 8 deletions
--- a/nixos/modules/services/networking/unbound.nix
+++ b/nixos/modules/services/networking/unbound.nix
@ -166,7 +166,7 @@ in {
    services.unbound.settings = {
      server = {
        directory = mkDefault cfg.stateDir;
-        username = cfg.user;
+        username = ''""'';
        chroot = ''""'';
        pidfile = ''""'';
        # when running under systemd there is no need to daemonize
@ -245,14 +245,9 @@ in {
        NotifyAccess = "main";
        Type = "notify";

-        # FIXME: Which of these do we actually need, can we drop the chroot flag?
        AmbientCapabilities = [
          "CAP_NET_BIND_SERVICE"
-          "CAP_NET_RAW"
-          "CAP_SETGID"
-          "CAP_SETUID"
-          "CAP_SYS_CHROOT"
-          "CAP_SYS_RESOURCE"
+          "CAP_NET_RAW" # needed if ip-transparent is set to true
        ];

        User = cfg.user;
@ -273,7 +268,7 @@ in {
        RestrictRealtime = true;
        SystemCallArchitectures = "native";
        SystemCallFilter = [
-          "~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources"
+          "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @resources @privileged"
        ];
        RestrictNamespaces = true;
        LockPersonality = true;