diff options
author | Symphorien Gibol <symphorien+git@xlumurb.eu> | 2020-02-02 12:00:00 +0000 |
---|---|---|
committer | Symphorien Gibol <symphorien+git@xlumurb.eu> | 2020-02-04 20:54:29 +0100 |
commit | 00a91d919d6f6cdaecc67a894f372a4195fea9da (patch) | |
tree | cd7c4f50b8d41af4aa80efe853b293efcff12380 | |
parent | 7437bff7d1db7f1d62a53350a73632d18926d67a (diff) | |
download | nixlib-00a91d919d6f6cdaecc67a894f372a4195fea9da.tar nixlib-00a91d919d6f6cdaecc67a894f372a4195fea9da.tar.gz nixlib-00a91d919d6f6cdaecc67a894f372a4195fea9da.tar.bz2 nixlib-00a91d919d6f6cdaecc67a894f372a4195fea9da.tar.lz nixlib-00a91d919d6f6cdaecc67a894f372a4195fea9da.tar.xz nixlib-00a91d919d6f6cdaecc67a894f372a4195fea9da.tar.zst nixlib-00a91d919d6f6cdaecc67a894f372a4195fea9da.zip |
nixos/iodine: hardening
-rw-r--r-- | nixos/modules/services/networking/iodine.nix | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/iodine.nix b/nixos/modules/services/networking/iodine.nix index 58067edf9026..8aa911708511 100644 --- a/nixos/modules/services/networking/iodine.nix +++ b/nixos/modules/services/networking/iodine.nix @@ -9,6 +9,8 @@ let iodinedUser = "iodined"; + /* is this path made unreadable by ProtectHome = true ? */ + isProtected = x: hasPrefix "/root" x || hasPrefix "/home" x; in { imports = [ @@ -134,6 +136,24 @@ in serviceConfig = { RestartSec = "30s"; Restart = "always"; + + # hardening : + # Filesystem access + ProtectSystem = "strict"; + ProtectHome = if isProtected cfg.passwordFile then "read-only" else "true" ; + PrivateTmp = true; + ReadWritePaths = "/dev/net/tun"; + PrivateDevices = false; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + # Caps + NoNewPrivileges = true; + # Misc. + LockPersonality = true; + RestrictRealtime = true; + PrivateMounts = true; + MemoryDenyWriteExecute = true; }; }; in @@ -147,6 +167,24 @@ in after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; script = "exec ${pkgs.iodine}/bin/iodined -f -u ${iodinedUser} ${cfg.server.extraConfig} ${optionalString (cfg.server.passwordFile != "") "< \"${cfg.server.passwordFile}\""} ${cfg.server.ip} ${cfg.server.domain}"; + serviceConfig = { + # Filesystem access + ProtectSystem = "strict"; + ProtectHome = if isProtected cfg.server.passwordFile then "read-only" else "true" ; + PrivateTmp = true; + ReadWritePaths = "/dev/net/tun"; + PrivateDevices = false; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + # Caps + NoNewPrivileges = true; + # Misc. + LockPersonality = true; + RestrictRealtime = true; + PrivateMounts = true; + MemoryDenyWriteExecute = true; + }; }; }; |