From e8e11182c209ebef5cdea49ed97381cfd761078b Mon Sep 17 00:00:00 2001
From: Grimmauld <Grimmauld@grimmauld.de>
Date: Tue, 28 Jan 2025 23:59:41 +0100
Subject: [PATCH] dbus-broker hardening, acpid fixes

---
 hardening/encrypt-dns.nix         |  2 +-
 hardening/opensnitch/dns.nix      |  2 +-
 hardening/security.nix            |  2 +-
 hardening/systemd/acpid.nix       | 26 +++++++++++--
 hardening/systemd/dbus-broker.nix | 62 +++++++++++++++++++++++++++++++
 hardening/systemd/default.nix     |  3 +-
 6 files changed, 89 insertions(+), 8 deletions(-)
 create mode 100644 hardening/systemd/dbus-broker.nix

diff --git a/hardening/encrypt-dns.nix b/hardening/encrypt-dns.nix
index da9906d..664504f 100644
--- a/hardening/encrypt-dns.nix
+++ b/hardening/encrypt-dns.nix
@@ -1,4 +1,4 @@
-{ pkgs, config, lib, ... }:
+{ config, lib, ... }:
 {
   networking = {
     nameservers = lib.mkForce [ "127.0.0.1" "::1" ];
diff --git a/hardening/opensnitch/dns.nix b/hardening/opensnitch/dns.nix
index 7727ad6..93ceb6f 100644
--- a/hardening/opensnitch/dns.nix
+++ b/hardening/opensnitch/dns.nix
@@ -55,7 +55,7 @@ in
             {
               type = "regexp";
               operand = "dest.port";
-              data = "53|443|4434|5443";
+              data = "53|443|4434|5443|4343";
             }
             #  {
             #    type = "lists";
diff --git a/hardening/security.nix b/hardening/security.nix
index 848a14c..bdb104d 100644
--- a/hardening/security.nix
+++ b/hardening/security.nix
@@ -41,7 +41,7 @@ in
       }
     ];
 
-    services.pcscd.enable = true;
+    # services.pcscd.enable = true;
     age.ageBin =
       let
         rage_wrapped = pkgs.symlinkJoin {
diff --git a/hardening/systemd/acpid.nix b/hardening/systemd/acpid.nix
index bc5ca16..8dc5cd5 100644
--- a/hardening/systemd/acpid.nix
+++ b/hardening/systemd/acpid.nix
@@ -6,7 +6,16 @@
         ""
       ];
       NoNewPrivileges = true;
-      RestrictNamespaces = "pid";
+      RestrictNamespaces = [
+        "~pid"
+        "~user"
+        "~net"
+        "~uts"
+        "~mnt"
+        "~cgroup"
+        "~ipc"
+      ];
+
       ProtectControlGroups = true;
       ProtectKernelModules = true;
       ProtectKernelTunables = true;
@@ -15,12 +24,21 @@
       SystemCallArchitectures = "native";
       SystemCallFilter = "@system-service";
       LockPersonality = true;
-      ProtectSystem = true;
+      ProtectSystem = "strict";
       PrivateUsers = true;
-      PrivateNetwork = true;
       RestrictRealtime = true;
+      PrivateTmp = true;
+      ProtectHome = true;
+      ProtectProc = "invisible";
+      ProtectKernelLogs = true;
       IPAddressAllow = [ ];
-      RestrictAddressFamilies = "AF_NETLINK AF_UNIX";
+
+      PrivateDevices = false; # acpi obviously needs device access
+      PrivateNetwork = false; # required for netlink to work properly
+      RestrictAddressFamilies = [
+        "AF_NETLINK"
+        "AF_UNIX"
+      ];
     };
   };
 }
diff --git a/hardening/systemd/dbus-broker.nix b/hardening/systemd/dbus-broker.nix
new file mode 100644
index 0000000..12cafcb
--- /dev/null
+++ b/hardening/systemd/dbus-broker.nix
@@ -0,0 +1,62 @@
+{
+  lib,
+  config,
+  ...
+}:
+{
+  config.systemd.services = lib.mkIf (config.specialisation != { }) {
+    dbus-broker.serviceConfig = {
+      DevicePolicy = "closed";
+      KeyringMode = "private";
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      PrivateTmp = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = "read-only";
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProtectSystem = "full";
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+
+      RestrictAddressFamilies = [
+        #     "AF_INET"
+        #     "AF_INET6"
+        "AF_UNIX"
+      ];
+      RestrictNamespaces = [
+        "~pid"
+        "~user"
+        "~net"
+        "~uts"
+        "~mnt"
+        "~cgroup"
+        "~ipc"
+      ];
+      SystemCallFilter = [
+        "@system-service"
+        "@privileged"
+      ];
+
+      PrivateMounts = true;
+
+      #   CapabilityBoundingSet = [
+      #     "CAP_NET_BIND_SERVICE"
+      #    "CAP_SETGID"
+      #     "CAP_SETUID"
+      #     "CAP_SYS_CHROOT"
+      #     "cap_dac_override"
+      #   ];
+
+      #   PrivateUsers = false; # important
+      #   PrivateNetwork = false; # important
+    };
+  };
+}
diff --git a/hardening/systemd/default.nix b/hardening/systemd/default.nix
index f153985..bf6eed3 100644
--- a/hardening/systemd/default.nix
+++ b/hardening/systemd/default.nix
@@ -21,10 +21,11 @@ in
     ./bluetooth.nix
     # ./tty.nix
     ./ask-password.nix
-    # ./nix-daemon.nix
+    ./nix-daemon.nix
     ./nscd.nix
     ./rtkit.nix
     ./sshd.nix
+    ./dbus-broker.nix
 
     ./global
   ];