From a8f9e7a9c2e308809b0a1fae35d5659eb12acc23 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Wed, 8 Jan 2025 19:06:22 +0100 Subject: [PATCH] nix-daemon confinement --- common/tooling/nix.nix | 2 +- hardening/systemd/default.nix | 3 +- hardening/systemd/nix-daemon.nix | 51 +++++++++++++++++++ .../hardware-configuration.nix | 3 +- 4 files changed, 56 insertions(+), 3 deletions(-) create mode 100644 hardening/systemd/nix-daemon.nix diff --git a/common/tooling/nix.nix b/common/tooling/nix.nix index 5964d4b..d48776d 100644 --- a/common/tooling/nix.nix +++ b/common/tooling/nix.nix @@ -48,7 +48,7 @@ "pipe-operator" ]; warn-dirty = false; - allowed-users = [ "@wheel" ]; + allowed-users = [ "@wheel" "grimmauld" ]; }; programs.nh = { diff --git a/hardening/systemd/default.nix b/hardening/systemd/default.nix index c6400cc..04f716f 100644 --- a/hardening/systemd/default.nix +++ b/hardening/systemd/default.nix @@ -17,10 +17,11 @@ in ./wpa_supplicant.nix ./auditd.nix ./acpid.nix - ./cups.nix + # ./cups.nix ./bluetooth.nix ./tty.nix ./ask-password.nix + ./nix-daemon.nix ./global ]; diff --git a/hardening/systemd/nix-daemon.nix b/hardening/systemd/nix-daemon.nix new file mode 100644 index 0000000..9a576e8 --- /dev/null +++ b/hardening/systemd/nix-daemon.nix @@ -0,0 +1,51 @@ +{ + lib, + config, + ... +}: +{ + config.systemd.services = lib.mkIf (config.specialisation != { }) { + nix-daemon.serviceConfig = { + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + SystemCallArchitectures = "native"; + RestrictSUIDSGID = true; # good, somehow??? + + RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; # needed to download sources and caches + RestrictNamespaces = "user net uts mnt ipc pid"; # namespaces needed for sandboxing + SystemCallFilter = "@system-service @cpu-emulation @mount @privileged"; + + LockPersonality = true; + ProtectControlGroups = true; + ProtectKernelModules = true; # todo: does kvm need a modprobe here? + PrivateMounts = true; + ProtectProc = "invisible"; + ProtectClock = true; + + # file system + PrivateTmp = true; + ProtectSystem = "strict"; + ReadWritePaths = "/nix"; + + # Scheduling: only do as much as resources are available + LimitNICE = 1; + Nice = 19; + RestrictRealtime = true; + + # devices + DevicePolicy = "closed"; # allow pseudo-devices like /dev/null, but no real devices + DeviceAllow = "/dev/kvm"; # kvm is needed for VM tests + + CapabilityBoundingSet = [ + "CAP_FOWNER CAP_CHOWN CAP_SETUID CAP_SETGID CAP_SYS_ADMIN CAP_DAC_OVERRIDE" + ]; + + # ProtectKernelLogs=true; # BAD + # ProtectKernelTunables = true; # BAD + # PrivateUsers=true; BAD + # ProtectHome = "read-only"; # BAD + # ProtectHostname = true; # BAD! + # PrivateNetwork = true; # BAD! + }; + }; +} diff --git a/specific/grimm-nixos-ssd/hardware-configuration.nix b/specific/grimm-nixos-ssd/hardware-configuration.nix index e264163..a4a57bb 100644 --- a/specific/grimm-nixos-ssd/hardware-configuration.nix +++ b/specific/grimm-nixos-ssd/hardware-configuration.nix @@ -41,7 +41,8 @@ in "mac80211" "bluetooth" "cfg80211" - ]; # "kvm-intel" + "kvm-intel" + ]; boot.extraModprobeConfig = "options iwlwifi disable_11ax=Y"; boot.binfmt.emulatedSystems = [ "aarch64-linux" ];