more sysd hardening

hardening/systemd/NetworkManager.nix

@@ -25,9 +25,8 @@
       # PrivateUsers = true; # BAD
       # ProtectKernelTunables = true; # BAD
 
-      ProtectHostname=true;
-      ProcSubset="pid";
-      ProtectSystem=true;
+      ProcSubset = "pid";
+      ProtectSystem = true;
     };
 
     NetworkManager-dispatcher.serviceConfig = {
@@ -55,9 +54,8 @@
       # PrivateUsers = true; # BAD
       # ProtectKernelTunables = true; # BAD
 
-      ProtectHostname=true;
-      ProcSubset="pid";
-      ProtectSystem=true;
+      ProcSubset = "pid";
+      ProtectSystem = true;
     };
   };
 }

hardening/systemd/acpid.nix

@@ -3,8 +3,8 @@
   config.systemd.services = lib.mkIf (config.specialisation != { }) {
     acpid.serviceConfig = {
       CapabilityBoundingSet = [
-       ""
-       ];
+        ""
+      ];
       NoNewPrivileges = true;
       RestrictNamespaces = "pid";
       ProtectControlGroups = true;
@@ -15,13 +15,12 @@
       SystemCallArchitectures = "native";
       SystemCallFilter = "@system-service";
       LockPersonality = true;
-      ProtectHostname=true;
-      ProtectSystem=true;
-      PrivateUsers=true;
-      PrivateNetwork=true;
-      RestrictRealtime=true;
-      IPAddressAllow=[];
-      RestrictAddressFamilies="AF_NETLINK AF_UNIX";
+      ProtectSystem = true;
+      PrivateUsers = true;
+      PrivateNetwork = true;
+      RestrictRealtime = true;
+      IPAddressAllow = [ ];
+      RestrictAddressFamilies = "AF_NETLINK AF_UNIX";
     };
   };
 }

hardening/systemd/ask-password.nix

@@ -0,0 +1,41 @@
+{ lib, config, ... }:
+{
+  config.systemd.services = lib.mkIf (config.specialisation != { }) {
+    systemd-ask-password-console.serviceConfig = {
+      CapabilityBoundingSet = [
+        ""
+      ];
+      NoNewPrivileges = true;
+      RestrictNamespaces = "pid";
+      ProtectControlGroups = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      MemoryDenyWriteExecute = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = "@system-service";
+      LockPersonality = true;
+      RestrictRealtime = true;
+      ProtectProc = "invisible";
+      PrivateUsers = true;
+    };
+    systemd-ask-password-wall.serviceConfig = {
+      CapabilityBoundingSet = [
+        ""
+      ];
+      NoNewPrivileges = true;
+      RestrictNamespaces = "pid";
+      ProtectControlGroups = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      MemoryDenyWriteExecute = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = "@system-service";
+      LockPersonality = true;
+      RestrictRealtime = true;
+      ProtectProc = "invisible";
+      PrivateUsers = true;
+    };
+  };
+}

hardening/systemd/auditd.nix

@@ -12,13 +12,12 @@
       SystemCallArchitectures = "native";
       SystemCallFilter = "@system-service";
       LockPersonality = true;
-      ProtectHostname=true;
-      ProtectSystem=true;
+      ProtectSystem = true;
       # PrivateUsers=true;
       # PrivateNetwork=true;
-      RestrictRealtime=true;
-      IPAddressAllow=[];
-      RestrictAddressFamilies="AF_NETLINK";
+      RestrictRealtime = true;
+      IPAddressAllow = [ ];
+      RestrictAddressFamilies = "AF_NETLINK";
     };
   };
 }

hardening/systemd/bluetooth.nix

@@ -0,0 +1,46 @@
+{ lib, config, ... }:
+{
+  config.systemd.services = lib.mkIf (config.specialisation != { }) {
+    bluetooth.serviceConfig = {
+      CapabilityBoundingSet = [
+        ""
+      ];
+      NoNewPrivileges = true;
+      RestrictNamespaces = "pid";
+
+      ProtectControlGroups = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      MemoryDenyWriteExecute = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = "@system-service";
+      LockPersonality = true;
+      RestrictRealtime = true;
+      ProtectProc = "invisible";
+
+      PrivateUsers = true;
+    };
+
+    blueman-mechanism.serviceConfig = {
+      CapabilityBoundingSet = [
+        ""
+      ];
+      NoNewPrivileges = true;
+      RestrictNamespaces = "pid";
+
+      ProtectControlGroups = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      MemoryDenyWriteExecute = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = "@system-service";
+      LockPersonality = true;
+      RestrictRealtime = true;
+      ProtectProc = "invisible";
+
+      PrivateUsers = true;
+    };
+  };
+}

hardening/systemd/cups.nix

@@ -2,12 +2,13 @@
 {
   config.systemd.services = lib.mkIf (config.specialisation != { }) {
     cups.serviceConfig = {
-      #CapabilityBoundingSet = [
-      # ""
-      #];
+
+      CapabilityBoundingSet = [
+        "CAP_LEASE CAP_MKNOD CAP_SYS_RAWIO CAP_SYS_RESOURCE CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID"
+      ];
       NoNewPrivileges = true;
       RestrictNamespaces = "pid";
-      
+
       ProtectControlGroups = true;
       ProtectKernelModules = true;
       ProtectKernelTunables = true;
@@ -16,12 +17,12 @@
       SystemCallArchitectures = "native";
       SystemCallFilter = "@system-service";
       LockPersonality = true;
-      ProtectHostname=true;
-      RestrictRealtime=true;
-      
+      RestrictRealtime = true;
+      ProtectProc = "invisible";
+
       # PrivateUsers=true;
-      # PrivateNetwork=true;
-      # RestrictAddressFamilies="AF_UNIX";
+      PrivateNetwork = true;
+      RestrictAddressFamilies = "AF_UNIX";
       # ProtectSystem=true;
     };
   };

hardening/systemd/default.nix

@@ -18,6 +18,11 @@ in
     ./auditd.nix
     ./acpid.nix
     ./cups.nix
+    ./bluetooth.nix
+    ./tty.nix
+    ./ask-password.nix
+
+    ./global
   ];
 
   options.systemd.services = lib.mkOption {
@@ -38,8 +43,6 @@ in
               mkIf (osConfig.specialisation != { }) (
                 {
                   ProtectHome = mkDefault true;
-                  ProtectClock = mkDefault true;
-                  # ProtectHostname = mkDefault true;
                   # LockPersonality = mkIf shouldMakeIntrusive (mkDefault true); # UH OH THIS ONE IS ROUGH!
                 }
                 // (lib.optionalAttrs shouldMakeIntrusive {
@@ -65,6 +68,7 @@ in
       sshd.serviceConfig.ProtectHome = false;
       display-manager.serviceConfig.ProtectHome = "read-only";
       dbus-broker.serviceConfig.ProtectHome = "read-only";
+      systemd-logind.serviceConfig.ProtectHome = false;
 
       nix-daemon.serviceConfig.ProtectHome = false;
 
@@ -86,16 +90,6 @@ in
       display-manager.serviceConfig.SystemCallFilter = "";
       sshd.serviceConfig.SystemCallFilter = "";
       rtkit-daemon.serviceConfig.SystemCallFilter = "";
-
-      systemd-timesync.serviceConfig = {
-        ProtectClock = false;
-        SystemCallFilter = "@system-service @clock";
-      };
-
-      save-hwclock.serviceConfig = {
-        ProtectClock = false;
-        SystemCallFilter = "@system-service @clock";
-      };
     };
   };
 }

hardening/systemd/global/clock.nix

@@ -0,0 +1,37 @@
+{ lib, config, ... }:
+let
+  inherit (lib) mkDefault types mkIf;
+in
+{
+  options.systemd.services = lib.mkOption {
+    type =
+      let
+        osConfig = config;
+      in
+      types.attrsOf (
+        lib.types.submodule (
+          { config, name, ... }:
+          {
+            config.serviceConfig = mkIf (osConfig.specialisation != { }) {
+              ProtectClock = mkDefault true;
+            };
+          }
+        )
+      );
+  };
+
+  config = mkIf (config.specialisation != { }) {
+
+    systemd.services = {
+      systemd-timesyncd.serviceConfig = {
+        ProtectClock = false;
+        SystemCallFilter = "@system-service @clock";
+      };
+
+      save-hwclock.serviceConfig = {
+        ProtectClock = false;
+        SystemCallFilter = "@system-service @clock";
+      };
+    };
+  };
+}

hardening/systemd/global/default.nix

@@ -0,0 +1,6 @@
+{
+  imports = [
+    ./hostname.nix
+    ./clock.nix
+  ];
+}

hardening/systemd/global/hostname.nix

@@ -0,0 +1,29 @@
+{ lib, config, ... }:
+let
+  inherit (lib) types mkIf mkDefault;
+in
+{
+  options.systemd.services = lib.mkOption {
+    type =
+      let
+        osConfig = config;
+      in
+      types.attrsOf (
+        lib.types.submodule (
+          { config, name, ... }:
+          {
+            config.serviceConfig = mkIf (osConfig.specialisation != { }) {
+              ProtectHostname = mkDefault true;
+            };
+          }
+        )
+      );
+  };
+
+  config = mkIf (config.specialisation != { }) {
+    systemd.services = {
+      systemd-hostnamed.serviceConfig.ProtectHostname = false;
+      nix-daemon.serviceConfig.ProtectHostname = false;
+    };
+  };
+}

hardening/systemd/tty.nix

@@ -0,0 +1,32 @@
+{ lib, config, ... }:
+{
+  config.systemd.services = lib.mkIf (config.specialisation != { }) {
+    "getty@".serviceConfig = {
+
+      #CapabilityBoundingSet =[
+      #  "CAP_SYS_TTY_CONFIGCAP_LEASE"
+      #];
+
+      # NoNewPrivileges = true;
+      RestrictNamespaces = "pid";
+
+      ProtectControlGroups = true;
+      ProtectHome = false;
+      ProtectClock = false;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      MemoryDenyWriteExecute = true;
+      # RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = lib.mkForce "@system-service";
+      LockPersonality = true;
+      #RestrictRealtime=true;
+      ProtectProc = "invisible";
+
+      # PrivateUsers=true;
+      PrivateNetwork = true;
+      RestrictAddressFamilies = "AF_UNIX";
+      # ProtectSystem=true;
+    };
+  };
+}

hardening/systemd/wpa_supplicant.nix

@@ -22,9 +22,8 @@
       SystemCallFilter = "@system-service";
       LockPersonality = true;
 
-      ProtectHostname=true;
-      ProcSubset="pid";
-      ProtectSystem=true;
+      ProcSubset = "pid";
+      ProtectSystem = true;
     };
   };
 }