diff options
author | sternenseemann <0rpkxez4ksa01gb3typccl0i@systemli.org> | 2021-06-16 21:16:25 +0200 |
---|---|---|
committer | sterni <sternenseemann@systemli.org> | 2021-06-16 22:28:25 +0200 |
commit | 1c6ce35ccab010c7983f7d7a72a849e4e0c377b6 (patch) | |
tree | dc8d1ab401c11ad24410022f23132a5c46fbfe22 | |
parent | f83032b647d678cd88259987d5a62ddc1f9c3247 (diff) |
fix(nixos): fix sandboxing
Due to a typo, previously the filesystem was accessible. Now we need can't use `InaccessiblePaths` anymore, since it doesn't allow nesting with `BindReadOnlyPaths`. Thus we need to switch to `TemporaryFileSystem` which unfortunately doesn't seem to work with `DynamicUser`. With a new warteraum-specific user we can run warteraum in a filesystem that only contains `/nix/store`, the secret files and vital things like `/proc`, `/dev` etc.
-rw-r--r-- | README.adoc | 3 | ||||
-rw-r--r-- | nixos/flipdot-gschichtler.nix | 32 |
2 files changed, 28 insertions, 7 deletions
diff --git a/README.adoc b/README.adoc index e13439e..6ce53ad 100644 --- a/README.adoc +++ b/README.adoc @@ -347,6 +347,9 @@ Changelog service this is reflected by the usage of `saltFile` and `tokensFile` respectively over the previous `salt` and `tokens`. +** Fix sandboxing in `nixos/flipdot-gschichtler.nix`: Now only + the secret files and the nix store will be readable to the + `warteraum` process. 2.0.0 ~~~~~ diff --git a/nixos/flipdot-gschichtler.nix b/nixos/flipdot-gschichtler.nix index f94fe01..06efd62 100644 --- a/nixos/flipdot-gschichtler.nix +++ b/nixos/flipdot-gschichtler.nix @@ -8,6 +8,8 @@ let bahnhofshalle warteraum-static ; + + userGroupName = "warteraum"; in { options = { services.flipdot-gschichtler = { @@ -58,21 +60,26 @@ in { serviceConfig = { Type = "simple"; ExecStart = "${warteraum-static}/bin/warteraum"; - InAccessibleDirectories = "/"; + + # make only /nix/store and the salt and token file accessible + TemporaryFileSystem = "/:ro"; + BindReadOnlyPaths = "/nix/store " + (lib.concatStringsSep " " [ + cfg.saltFile + cfg.tokensFile + ]); + # TemporaryFileSystem doesn't work with DynamicUser + User = userGroupName; + Group = userGroupName; + # mmap and munmap are used by libscrypt-kdf SystemCallFilter = "@default @basic-io @io-event @network-io fcntl @signal @process @timer brk mmap munmap open"; SystemCallArchitectures = "native"; - CapabilityBoundingSet = ""; + CapabilityBoundingSet = ""; NoNewPrivileges = true; RestrictRealtime = true; LockPersonality = true; - DynamicUser = true; - - ProtectSystem = "strict"; - ProtectHome = true; - PrivateTmp = true; PrivateUsers = true; ProtectKernelTunables = true; ProtectKernelModules = true; @@ -81,6 +88,9 @@ in { MemoryDenyWriteExecute = true; PrivateDevices = true; PrivateMounts = true; + + StandardError = "journal"; + StandardOutput = "journal"; }; }; @@ -94,5 +104,13 @@ in { } ''; }; + + users = { + users."${userGroupName}"= { + isSystemUser = true; + group = userGroupName; + }; + groups."${userGroupName}"= {}; + }; }; } |