grimm-nixos-laptop/hardening/systemd.nix

{ lib, config, ... }:
let
  inherit (lib) mkDefault types mkIf;
  eq = a: b: a == b;
  noPred =
    preds: x:
    if preds == [ ] then
      true
    else if (lib.head preds) x then
      false
    else
      noPred (lib.tail preds) x;
in
{
  options.systemd.services = lib.mkOption {
    type =
      let
        osConfig = config;
      in
      types.attrsOf (
        lib.types.submodule (
          { config, name, ... }:
          {
            config.serviceConfig =
              let
                shouldMakeIntrusive = (
                  noPred [ (lib.hasPrefix "systemd-") (eq "user@") (eq "user-runtime-dir@") (eq "nix-daemon") ] name
                );
              in
              mkIf (osConfig.specialisation != { }) {
                ProtectHome = mkDefault true;
                # NoNewPrivileges = mkIf shouldMakeIntrusive (mkDefault true); # TODO: this one is quite radical
                PrivateTmp = mkIf shouldMakeIntrusive (mkDefault true);
                # SystemCallFilter = mkIf shouldMakeIntrusive (mkDefault "@system-service");
                ProtectClock = mkDefault true;
                # ProtectKernelLogs = mkIf shouldMakeIntrusive (mkDefault true);
                # SystemCallArchitectures = mkIf shouldMakeIntrusive (mkDefault "native");
                ProtectHostname = mkDefault true;
                # LockPersonality = mkDefault true;
              };
          }
        )
      );
  };

  config = mkIf (config.specialisation != { }) {

    systemd.services = {
      "user-runtime-dir@".serviceConfig.ProtectHome = false;
      "user@".serviceConfig.ProtectHome = false;
      systemd-homed.serviceConfig.ProtectHome = false;
      systemd-homed-activate.serviceConfig.ProtectHome = false;
      sshd.serviceConfig.ProtectHome = false;
      display-manager.serviceConfig.ProtectHome = "read-only";
      dbus-broker.serviceConfig.ProtectHome = "read-only";

      zfs-mount.serviceConfig.PrivateTmp = false;
      kmod-static-nodes.serviceConfig.PrivateTmp = false;
      mount-pstore.serviceConfig.PrivateTmp = false;
      # todo: tpm things

      # "user@".serviceConfig.PrivateTmp = false; # make sddm happy
      # "user-runtime-dir@".serviceConfig.PrivateTmp = false; # make sddm happy

      polkit.serviceConfig.NoNewPrivileges = false;
      "getty@".serviceConfig.NoNewPrivileges = false;
      "user@".serviceConfig.NoNewPrivileges = false;

      # todo: dbus?

      NetworkManager.serviceConfig = {
        CapabilityBoundingSet = [
          ""
          (lib.concatStringsSep " " [
            "cap_net_bind_service"
            "cap_net_admin"
            "cap_net_raw"
          ])
        ];
        UMask = "0022";
        NoNewPrivileges = true;
        RestrictNamespaces = "net uts";
        ProtectControlGroups = true;
        # PrivateDevices
        ProtectKernelModules = true;
        MemoryDenyWriteExecute = true;
        RestrictSUIDSGID = true;
      };

      auditd.serviceConfig.ProtectKernelLogs = false;
      audit.serviceConfig.ProtectKernelLogs = false;

      "getty@".serviceConfig.SystemCallFilter = "";
      # "user@".serviceConfig.SystemCallFilter = "";
      # "user-runtime-dir@".serviceConfig.SystemCallFilter = "";
      display-manager.serviceConfig.SystemCallFilter = "";
      # nix-daemon.serviceConfig.SystemCallFilter = "";
      sshd.serviceConfig.SystemCallFilter = "";
      rtkit-daemon.serviceConfig.SystemCallFilter = "";

      systemd-timesync.serviceConfig = {
        ProtectClock = false;
        SystemCallFilter = "@system-service @clock";
      };

      pipewire.serviceConfig = {
        LockPersonality = false;
      };

      save-hwclock.serviceConfig = {
        ProtectClock = false;
        SystemCallFilter = "@system-service @clock";
      };
    };
  };
}
hardening WIP 2025-01-03 15:57:36 +01:00			`{ lib, config, ... }:`
			`let`
			`inherit (lib) mkDefault types mkIf;`
			`eq = a: b: a == b;`
			`noPred =`
			`preds: x:`
			`if preds == [ ] then`
			`true`
			`else if (lib.head preds) x then`
			`false`
			`else`
			`noPred (lib.tail preds) x;`
			`in`
			`{`
			`options.systemd.services = lib.mkOption {`
			`type =`
			`let`
			`osConfig = config;`
			`in`
			`types.attrsOf (`
			`lib.types.submodule (`
			`{ config, name, ... }:`
			`{`
			`config.serviceConfig =`
			`let`
			`shouldMakeIntrusive = (`
			`noPred [ (lib.hasPrefix "systemd-") (eq "user@") (eq "user-runtime-dir@") (eq "nix-daemon") ] name`
			`);`
			`in`
			`mkIf (osConfig.specialisation != { }) {`
			`ProtectHome = mkDefault true;`
			`# NoNewPrivileges = mkIf shouldMakeIntrusive (mkDefault true); # TODO: this one is quite radical`
			`PrivateTmp = mkIf shouldMakeIntrusive (mkDefault true);`
			`# SystemCallFilter = mkIf shouldMakeIntrusive (mkDefault "@system-service");`
			`ProtectClock = mkDefault true;`
			`# ProtectKernelLogs = mkIf shouldMakeIntrusive (mkDefault true);`
			`# SystemCallArchitectures = mkIf shouldMakeIntrusive (mkDefault "native");`
			`ProtectHostname = mkDefault true;`
			`# LockPersonality = mkDefault true;`
			`};`
			`}`
			`)`
			`);`
			`};`

			`config = mkIf (config.specialisation != { }) {`

			`systemd.services = {`
			`"user-runtime-dir@".serviceConfig.ProtectHome = false;`
			`"user@".serviceConfig.ProtectHome = false;`
			`systemd-homed.serviceConfig.ProtectHome = false;`
			`systemd-homed-activate.serviceConfig.ProtectHome = false;`
			`sshd.serviceConfig.ProtectHome = false;`
			`display-manager.serviceConfig.ProtectHome = "read-only";`
			`dbus-broker.serviceConfig.ProtectHome = "read-only";`

			`zfs-mount.serviceConfig.PrivateTmp = false;`
			`kmod-static-nodes.serviceConfig.PrivateTmp = false;`
			`mount-pstore.serviceConfig.PrivateTmp = false;`
			`# todo: tpm things`

			`# "user@".serviceConfig.PrivateTmp = false; # make sddm happy`
			`# "user-runtime-dir@".serviceConfig.PrivateTmp = false; # make sddm happy`

			`polkit.serviceConfig.NoNewPrivileges = false;`
			`"getty@".serviceConfig.NoNewPrivileges = false;`
			`"user@".serviceConfig.NoNewPrivileges = false;`

			`# todo: dbus?`

			`NetworkManager.serviceConfig = {`
			`CapabilityBoundingSet = [`
			`""`
			`(lib.concatStringsSep " " [`
			`"cap_net_bind_service"`
			`"cap_net_admin"`
			`"cap_net_raw"`
			`])`
			`];`
			`UMask = "0022";`
			`NoNewPrivileges = true;`
			`RestrictNamespaces = "net uts";`
			`ProtectControlGroups = true;`
			`# PrivateDevices`
			`ProtectKernelModules = true;`
			`MemoryDenyWriteExecute = true;`
			`RestrictSUIDSGID = true;`
			`};`

			`auditd.serviceConfig.ProtectKernelLogs = false;`
			`audit.serviceConfig.ProtectKernelLogs = false;`

			`"getty@".serviceConfig.SystemCallFilter = "";`
			`# "user@".serviceConfig.SystemCallFilter = "";`
			`# "user-runtime-dir@".serviceConfig.SystemCallFilter = "";`
			`display-manager.serviceConfig.SystemCallFilter = "";`
			`# nix-daemon.serviceConfig.SystemCallFilter = "";`
			`sshd.serviceConfig.SystemCallFilter = "";`
			`rtkit-daemon.serviceConfig.SystemCallFilter = "";`

			`systemd-timesync.serviceConfig = {`
			`ProtectClock = false;`
			`SystemCallFilter = "@system-service @clock";`
			`};`

			`pipewire.serviceConfig = {`
			`LockPersonality = false;`
			`};`

			`save-hwclock.serviceConfig = {`
			`ProtectClock = false;`
			`SystemCallFilter = "@system-service @clock";`
			`};`
			`};`
			`};`
			`}`