grimm-nixos-laptop/hardening/opensnitch/default.nix

627 lines
18 KiB
Nix
Raw Normal View History

2024-10-05 12:11:14 +02:00
{
pkgs,
config,
lib,
...
}:
let
2024-11-23 17:06:12 +01:00
inherit (config.grimmShared)
enable
tooling
graphical
network
;
2024-10-05 12:11:14 +02:00
inherit (lib)
optional
getBin
getExe
concatLines
getExe'
2024-10-06 12:25:18 +02:00
escapeRegex
getVersion
2024-10-05 12:11:14 +02:00
mkIf
2024-10-12 11:49:48 +02:00
filter
split
strings
concatStringsSep
length
isString
2024-10-05 12:11:14 +02:00
;
2024-11-23 17:06:12 +01:00
local_network = [
"192.168.0.0/16"
"10.0.0.0/8"
"172.16.0.0/12"
"fc00::/7"
];
2024-10-05 12:11:14 +02:00
local_ips = pkgs.writeTextDir "local_ips.list" (concatLines local_network);
created = "1970-01-01T00:00:00.0+00:00";
2024-10-05 12:11:14 +02:00
in
{
2024-10-12 11:49:48 +02:00
config = mkIf (enable && tooling.enable && network) {
2024-10-05 12:11:14 +02:00
environment.systemPackages = optional graphical pkgs.opensnitch-ui;
grimmShared.sway.config.autolaunch = optional graphical pkgs.opensnitch-ui;
2025-01-11 11:54:34 +01:00
networking.nftables.enable = true;
2024-11-23 17:06:12 +01:00
2025-01-11 11:54:34 +01:00
# security.audit.enable = true;
2025-01-11 14:41:03 +01:00
systemd.services.opensnitchd.path = lib.optional (
config.services.opensnitch.settings.ProcMonitorMethod == "audit"
) pkgs.audit.bin;
2024-10-05 12:11:14 +02:00
services.opensnitch = {
enable = true;
settings = {
DefaultAction = "deny";
2025-01-11 11:54:34 +01:00
Firewall = if config.networking.nftables.enable then "nftables" else "iptables";
2024-12-29 14:17:01 +01:00
ProcMonitorMethod = "ftrace";
# ProcMonitorMethod = "audit";
2024-10-05 12:11:14 +02:00
};
rules = {
2024-11-23 17:06:12 +01:00
firefox =
let
cfg = config.programs.firefox;
pkg = (
cfg.package.override (old: {
extraPrefsFiles =
old.extraPrefsFiles or [ ]
++ cfg.autoConfigFiles
++ [ (pkgs.writeText "firefox-autoconfig.js" cfg.autoConfig) ];
nativeMessagingHosts = old.nativeMessagingHosts or [ ] ++ cfg.nativeMessagingHosts.packages;
cfg = (old.cfg or { }) // cfg.wrapperConfig;
})
);
in
2024-10-05 12:11:14 +02:00
# pkg = pkgs.firefox-unwrapped;
2024-11-23 17:06:12 +01:00
mkIf (config.programs.firefox.enable) {
name = "firefox";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "simple";
sensitive = false;
operand = "process.path";
data = "${getBin pkg}/lib/firefox/firefox";
};
2024-10-05 12:11:14 +02:00
};
2024-10-05 18:51:24 +02:00
block-list = {
name = "block-list";
action = "deny";
enabled = true;
duration = "always";
inherit created;
2024-10-05 18:51:24 +02:00
operator = {
type = "lists";
operand = "lists.domains";
2024-11-23 17:06:12 +01:00
data = pkgs.callPackage ./block_lists.nix { };
2024-10-05 18:51:24 +02:00
};
};
2025-01-09 13:54:25 +01:00
git = {
name = "git-allow-all";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.path";
data = "${lib.escapeRegex pkgs.git.outPath}/.*";
};
};
2025-01-10 12:50:01 +01:00
2025-01-09 13:54:25 +01:00
ssh = {
name = "ssh-allow-all";
enabled = true;
action = "allow";
duration = "always";
inherit created;
operator = {
type = "regexp";
sensitive = false;
operand = "process.path";
data = "${lib.escapeRegex pkgs.openssh.outPath}/.*";
};
};
2024-10-05 12:11:14 +02:00
nsncd = mkIf (config.services.nscd.enableNsncd) {
name = "nsncd-dns";
enabled = true;
action = "allow";
duration = "always";
inherit created;
2024-10-05 12:11:14 +02:00
operator = {
type = "list";
operand = "list";
list = [
{
2024-11-23 17:06:12 +01:00
type = "simple";
2024-10-05 12:11:14 +02:00
sensitive = false;
operand = "process.path";
data = getExe pkgs.nsncd;
}
{
type = "simple";
operand = "dest.port";
data = "53";
}
{
type = "lists";
operand = "lists.nets";
2024-11-23 17:06:12 +01:00
data = pkgs.writeTextDir "cidr_dns.list" (
concatLines ((map (ip: "${ip}/32") config.networking.nameservers) ++ local_network)
);
2024-10-05 12:11:14 +02:00
}
{
type = "simple";
operand = "user.id";
data = "998";
}
];
};
};
2024-10-05 18:51:24 +02:00
localhost = {
name = "localhost";
enabled = true;
action = "allow";
duration = "always";
precedence = true;
inherit created;
2024-10-05 18:51:24 +02:00
operator = {
2024-11-23 17:06:12 +01:00
type = "regexp";
2024-10-05 18:51:24 +02:00
sensitive = false;
operand = "dest.ip";
data = "^(127\\.0\\.0\\.1|::1)$";
};
};
2024-10-05 13:15:32 +02:00
spotify_deny = mkIf (config.grimmShared.spotify.enable && graphical) {
name = "spotify-deny";
enabled = true;
action = "deny";
precedence = false;
duration = "always";
inherit created;
2024-10-05 13:15:32 +02:00
operator = {
2024-11-23 17:06:12 +01:00
type = "simple";
2024-10-05 13:15:32 +02:00
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped";
};
};
osu_deny = mkIf (config.grimmShared.gaming && graphical) {
name = "osu-deny";
enabled = true;
action = "deny";
precedence = false;
duration = "always";
inherit created;
operator = {
2024-11-23 17:06:12 +01:00
type = "regexp";
sensitive = false;
operand = "process.path";
data = "/nix/store/[a-z0-9]{32}-osu-lazer-bin-${escapeRegex (getVersion pkgs.osu-lazer-bin)}-extracted/usr/bin/osu!";
};
};
osu_allow = mkIf (config.grimmShared.gaming && graphical) {
name = "osu-allow";
enabled = true;
action = "allow";
precedence = true;
duration = "always";
inherit created;
operator = {
type = "list";
operand = "list";
list = [
{
2024-10-12 11:49:48 +02:00
type = "regexp";
operand = "dest.port";
2024-10-12 11:49:48 +02:00
data = "443|53";
}
{
2024-11-23 17:06:12 +01:00
type = "regexp";
sensitive = false;
operand = "process.path";
data = "/nix/store/[a-z0-9]{32}-osu-lazer-bin-${escapeRegex (getVersion pkgs.osu-lazer-bin)}-extracted/usr/bin/osu!";
}
{
type = "regexp";
sensitive = false;
operand = "dest.host";
data = "(api\.github\.com)|((.+\.)?ppy\.sh)";
}
];
};
};
2024-10-05 13:15:32 +02:00
ncspot = mkIf (config.grimmShared.spotify.enable) {
name = "ncspot";
enabled = true;
action = "allow";
duration = "always";
inherit created;
2024-10-05 13:15:32 +02:00
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
operand = "dest.port";
data = "443|4070";
}
{
2024-11-23 17:06:12 +01:00
type = "simple";
2024-10-05 13:15:32 +02:00
sensitive = false;
operand = "process.path";
data = lib.getExe pkgs.ncspot;
}
{
type = "lists";
operand = "lists.domains_regexp";
data = ./spotify_hosts;
2024-11-23 17:06:12 +01:00
}
2024-10-05 13:15:32 +02:00
];
};
};
spotify_allow = mkIf (config.grimmShared.spotify.enable && graphical) {
name = "spotify-allow";
enabled = true;
action = "allow";
duration = "always";
precedence = true;
inherit created;
2024-10-05 13:15:32 +02:00
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
operand = "dest.port";
data = "443|4070";
}
{
2024-11-23 17:06:12 +01:00
type = "simple";
2024-10-05 13:15:32 +02:00
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped";
}
{
type = "lists";
operand = "lists.domains_regexp";
data = ./spotify_hosts;
2024-11-23 17:06:12 +01:00
}
2024-10-05 13:15:32 +02:00
];
};
};
spotify_allow_local = mkIf (config.grimmShared.spotify.enable && graphical) {
name = "spotify-allow-local";
enabled = true;
action = "allow";
duration = "always";
precedence = true;
inherit created;
2024-10-05 13:15:32 +02:00
operator = {
type = "list";
operand = "list";
list = [
{
2024-11-23 17:06:12 +01:00
type = "simple";
2024-10-05 13:15:32 +02:00
sensitive = false;
operand = "process.path";
data = "${lib.getBin pkgs.spotify}/share/spotify/.spotify-wrapped";
}
{
type = "lists";
operand = "lists.nets";
data = local_ips;
2024-11-23 17:06:12 +01:00
}
2024-10-05 13:15:32 +02:00
];
};
};
2024-10-06 12:25:18 +02:00
vesktop_deny = mkIf (graphical) {
name = "vesktop-deny";
enabled = true;
action = "deny";
precedence = false;
duration = "always";
inherit created;
2024-10-06 12:25:18 +02:00
operator = {
2024-11-23 17:06:12 +01:00
type = "regexp";
2024-10-06 12:25:18 +02:00
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}";
};
};
vesktop_allow = mkIf (graphical) {
name = "vesktop-allow";
enabled = true;
action = "allow";
precedence = true;
duration = "always";
inherit created;
2024-10-06 12:25:18 +02:00
operator = {
type = "list";
operand = "list";
list = [
{
2024-11-23 17:06:12 +01:00
type = "regexp";
2024-10-06 12:25:18 +02:00
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "${pkgs.vesktop}/opt/Vesktop/resources/app.asar"}";
}
{
type = "lists";
operand = "lists.domains_regexp";
data = ./discord_hosts;
2024-11-23 17:06:12 +01:00
}
];
};
};
2025-01-09 13:54:25 +01:00
vesktop_daemon_allow_udp = mkIf graphical {
2024-11-23 17:06:12 +01:00
name = "vesktop-allow-udp";
enabled = true;
action = "allow";
precedence = true;
duration = "always";
2025-01-09 13:54:25 +01:00
inherit created;
2024-11-23 17:06:12 +01:00
operator = {
type = "list";
operand = "list";
list = [
{
type = "regexp";
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
}
{
type = "simple";
operand = "protocol";
data = "udp";
}
{
type = "regexp";
operand = "dest.port";
data = "500[0-9]{2}";
}
2024-10-06 12:25:18 +02:00
];
};
};
vesktop_daemon_deny = mkIf (graphical) {
name = "vesktop-daemon-deny";
enabled = true;
action = "deny";
precedence = false;
duration = "always";
inherit created;
2024-10-06 12:25:18 +02:00
operator = {
2024-11-23 17:06:12 +01:00
type = "regexp";
2024-10-06 12:25:18 +02:00
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
};
};
vesktop_daemon_allow = mkIf (graphical) {
name = "vesktop-daemon-allow";
enabled = true;
action = "allow";
precedence = true;
duration = "always";
inherit created;
2024-10-06 12:25:18 +02:00
operator = {
type = "list";
operand = "list";
list = [
{
2024-11-23 17:06:12 +01:00
type = "regexp";
2024-10-06 12:25:18 +02:00
sensitive = false;
operand = "process.command";
data = "/nix/store/[a-z0-9]{32}-electron-unwrapped-${escapeRegex (getVersion pkgs.electron)}/libexec/electron/electron.*${escapeRegex "--utility-sub-type=network.mojom.NetworkService"}.*--user-data-dir=/home/.+/\.config/vesktop.+";
}
{
type = "lists";
operand = "lists.domains_regexp";
data = ./discord_hosts;
2024-11-23 17:06:12 +01:00
}
2024-10-06 12:25:18 +02:00
];
};
};
2024-10-05 12:11:14 +02:00
avahi = mkIf (config.services.avahi.enable) {
name = "avahi";
enabled = true;
action = "allow";
duration = "always";
inherit created;
2024-10-05 12:11:14 +02:00
operator = {
type = "list";
operand = "list";
list = [
{
2024-11-23 17:06:12 +01:00
type = "simple";
2024-10-05 12:11:14 +02:00
sensitive = false;
operand = "process.path";
data = getExe' config.services.avahi.package "avahi-daemon";
}
{
2024-10-12 11:49:48 +02:00
type = "regexp";
2024-10-05 12:11:14 +02:00
operand = "dest.port";
2024-10-12 11:49:48 +02:00
data = "5353|53";
2024-10-05 12:11:14 +02:00
}
{
type = "simple";
operand = "user.id";
data = "996";
}
];
};
};
2024-10-12 11:49:48 +02:00
icmp = {
name = "icmp";
enabled = true;
action = "allow";
duration = "always";
inherit created;
2024-10-12 11:49:48 +02:00
operator = {
2024-11-23 17:06:12 +01:00
type = "regexp";
2024-10-12 11:49:48 +02:00
operand = "protocol";
sensitive = false;
data = "icmp(4|6)?";
};
};
network-manager = mkIf (config.networking.networkmanager.enable) {
name = "network-manager";
enabled = true;
action = "allow";
duration = "always";
inherit created;
2024-10-12 11:49:48 +02:00
operator = {
type = "list";
operand = "list";
list = [
{
2024-11-23 17:06:12 +01:00
type = "simple";
2024-10-12 11:49:48 +02:00
sensitive = false;
operand = "process.path";
data = getExe' pkgs.networkmanager "networkmanager";
}
{
2024-11-23 17:06:12 +01:00
type = "simple";
2024-10-12 11:49:48 +02:00
operand = "dest.port";
data = "547";
}
2024-11-23 17:06:12 +01:00
# {
# type ="simple";
# operand = "dest.network";
# data = "ff02::1:2";
# }
2024-10-12 11:49:48 +02:00
];
};
};
2024-10-05 12:11:14 +02:00
cups-filters = mkIf (config.services.printing.enable) {
name = "cups-filters";
enabled = true;
action = "allow";
duration = "always";
inherit created;
2024-10-05 12:11:14 +02:00
operator = {
type = "list";
operand = "list";
list = [
{
2024-11-23 17:06:12 +01:00
type = "simple";
2024-10-05 12:11:14 +02:00
sensitive = false;
operand = "process.path";
2024-10-12 11:49:48 +02:00
data = getExe' pkgs.cups-filters "cups-browsed";
2024-10-05 12:11:14 +02:00
}
{
2024-11-23 17:06:12 +01:00
type = "regexp";
2024-10-05 12:11:14 +02:00
operand = "dest.port";
data = "53|631|80";
2024-10-05 12:11:14 +02:00
}
{
type = "lists";
operand = "lists.nets";
data = local_ips;
}
];
};
};
systemd-timesyncd = mkIf (config.services.timesyncd.enable) {
name = "systemd-timesyncd";
enabled = true;
action = "allow";
duration = "always";
inherit created;
2024-10-05 12:11:14 +02:00
operator = {
type = "list";
operand = "list";
list = [
{
2024-10-06 10:47:08 +02:00
type = "simple";
2024-10-05 12:11:14 +02:00
sensitive = false;
operand = "process.path";
2024-11-23 17:06:12 +01:00
data = "${lib.getBin pkgs.systemd}/lib/systemd/systemd-timesyncd";
}
2024-10-05 12:11:14 +02:00
{
2024-11-23 17:06:12 +01:00
type = "regexp";
2024-10-05 12:11:14 +02:00
operand = "dest.port";
2024-10-06 10:47:08 +02:00
data = "123|37|53";
}
2024-11-23 17:06:12 +01:00
# {
# type = "regexp";
# sensitive = false;
# operand = "dest.host";
# data = ".*\.nixos\.pool\.ntp\.org";
# }
2024-10-06 10:47:08 +02:00
{
type = "simple";
operand = "user.id";
data = "154";
2024-10-05 12:11:14 +02:00
}
];
};
};
2024-11-23 17:06:12 +01:00
2024-12-23 17:45:20 +01:00
nextcloud = mkIf (false) {
# config.grimmShared.cloudSync.enable
2024-11-23 17:06:12 +01:00
name = "nextcloud";
2024-10-05 12:11:14 +02:00
enabled = true;
action = "allow";
duration = "always";
inherit created;
2024-10-12 11:49:48 +02:00
operator = {
type = "list";
operand = "list";
list = [
{
2024-11-23 17:06:12 +01:00
type = "simple";
2024-10-12 11:49:48 +02:00
sensitive = false;
operand = "process.path";
data = getExe' pkgs.nextcloud-client ".nextcloudcmd-wrapped";
}
{
type = "regexp";
sensitive = false;
operand = "dest.host";
2024-11-23 17:06:12 +01:00
data =
let
l = (filter isString (split "\\." config.grimmShared.cloudSync.server));
in
(strings.replicate ((length l) - 1) "(") + (concatStringsSep "\\.)?" l);
2024-10-12 11:49:48 +02:00
# config.grimmShared.cloudSync.server;
}
{
2024-11-23 17:06:12 +01:00
type = "regexp";
2024-10-12 11:49:48 +02:00
operand = "dest.port";
data = "443|53";
}
];
2024-10-05 12:11:14 +02:00
};
};
};
};
};
}