nosuid and nodev

2024-12-29 14:17:01 +01:00 · 2024-12-29 14:17:01 +01:00 · 96df3f3c9a
commit 96df3f3c9a
parent 883d5edcd9
2 changed files with 45 additions and 5 deletions
--- a/common/tooling/opensnitch/default.nix
+++ b/common/tooling/opensnitch/default.nix
@ -50,7 +50,7 @@ in
        DefaultAction = "deny";
        Firewall = "iptables";
        LogLevel = 1;
-        ProcMonitorMethod = "proc";
+        ProcMonitorMethod = "ftrace";
      };

      rules = {
--- a/specific/grimm-nixos-ssd/hardware-configuration.nix
+++ b/specific/grimm-nixos-ssd/hardware-configuration.nix
@ -52,6 +52,12 @@ in

  boot.specialFileSystems."/dev/shm".options = [ "noexec" ]; # TODO: does this work?

+  systemd.tmpfiles.settings."mount"."/mnt".d = {
+    group = "root";
+    mode = "755";
+    user = "root";
+  };
+
  boot.zfs = {
    forceImportRoot = false;
    requestEncryptionCredentials = false; # none of the zfs datasets that should be mounted are encrypted. User homes happen later.
@ -72,23 +78,41 @@ in
      "size=2G"
      "mode=755"
      "noexec"
+      "nosuid"
+      # "nodev"
    ];
  };

  fileSystems."${persist}" = {
    device = "zpool/persistent";
    fsType = "zfs";
-    options = [ "noexec" ];
+    options = [
+      "noexec"
+      "nosuid"
+      "nodev"
+    ];
  };

  environment.etc."machine-id".source = "${persist}/etc/machine-id";
  environment.memoryAllocator.provider = "libc";

+#  fileSystems."/nix/var" = {
+#    device = "${persist}/nix/var";
+#    options = [
+#      "bind"
+#      "noexec"
+#      "nosuid"
+#      "nodev"
+#    ];
+#  };
+
  fileSystems."/nix/var" = {
-    device = "${persist}/nix/var";
+    device = "/nix/var";
    options = [
      "bind"
      "noexec"
+      "nosuid"
+      "nodev"
    ];
  };

@ -97,19 +121,29 @@ in
    options = [
      "bind"
      "noexec"
+      "nosuid"
+      "nodev"
    ];
  };

  fileSystems."/nix" = {
    device = "zpool/nix";
    fsType = "zfs";
-    options = [ "exec" ];
+    options = [
+      "exec"
+      "suid"
+      "dev"
+    ];
  };

  fileSystems."/var" = {
    device = "zpool/var";
    fsType = "zfs";
-    options = [ "noexec" ];
+    options = [
+      "noexec"
+      "nosuid"
+      "nodev"
+    ];
  };

  fileSystems."${nix_build}" = {
@ -121,6 +155,8 @@ in
      "size=30%"
      "mode=755"
      "exec"
+      "nosuid"
+      "nodev"
    ];
  };

@ -132,6 +168,8 @@ in
    options = [
      "noacl"
      "noexec"
+      "nosuid"
+      "nodev"
    ];
  };

@ -143,6 +181,8 @@ in
      "dmask=0022"
      "umask=077"
      "noexec"
+      "nosuid"
+      "nodev"
    ];
  };