Merge master into staging-next

author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> 2021-04-25 06:05:34 +0000
committer: GitHub <noreply@github.com> 2021-04-25 06:05:34 +0000
commit: a956f62ea4ea5a9e5bd18e87b1ea362e583dbcad (patch)
tree: 75387e5c123ed24cafeb1ed70aeec03ce9ed4236 /nixos
parent: 0f1c4558d362a34cddea207acafff4596058af0b (diff)
parent: 4b7ccb341881d1773f250c2a2e3fa6d5cab6d848 (diff)
download: nixlib-a956f62ea4ea5a9e5bd18e87b1ea362e583dbcad.tar
nixlib-a956f62ea4ea5a9e5bd18e87b1ea362e583dbcad.tar.gz
nixlib-a956f62ea4ea5a9e5bd18e87b1ea362e583dbcad.tar.bz2
nixlib-a956f62ea4ea5a9e5bd18e87b1ea362e583dbcad.tar.lz
nixlib-a956f62ea4ea5a9e5bd18e87b1ea362e583dbcad.tar.xz
nixlib-a956f62ea4ea5a9e5bd18e87b1ea362e583dbcad.tar.zst
nixlib-a956f62ea4ea5a9e5bd18e87b1ea362e583dbcad.zip
3 files changed, 21 insertions, 8 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2105.xml b/nixos/doc/manual/release-notes/rl-2105.xml
index e0552c25a856..5fbef88c4a5c 100644
--- a/nixos/doc/manual/release-notes/rl-2105.xml
+++ b/nixos/doc/manual/release-notes/rl-2105.xml
@@ -680,6 +680,13 @@ environment.systemPackages = [
      All CUDA toolkit versions prior to CUDA 10 have been removed.
     </para>
    </listitem>
+   <listitem>
+     <para>
+       The <package>babeld</package> service is now being run as an unprivileged user. To achieve that the module configures
+       <literal>skip-kernel-setup true</literal> and takes care of setting forwarding and rp_filter sysctls by itself as well
+       as for each interface in <varname>services.babeld.interfaces</varname>.
+     </para>
+   </listitem>
   </itemizedlist>
  </section>
 
diff --git a/nixos/modules/services/networking/babeld.nix b/nixos/modules/services/networking/babeld.nix
index e16e56121c4c..97dca002a007 100644
--- a/nixos/modules/services/networking/babeld.nix
+++ b/nixos/modules/services/networking/babeld.nix
@@ -19,7 +19,10 @@ let
     "interface ${name} ${paramsString interface}\n";
 
   configFile = with cfg; pkgs.writeText "babeld.conf" (
-    (optionalString (cfg.interfaceDefaults != null) ''
+    ''
+      skip-kernel-setup true
+    ''
+    + (optionalString (cfg.interfaceDefaults != null) ''
       default ${paramsString cfg.interfaceDefaults}
     '')
     + (concatMapStrings interfaceConfig (attrNames cfg.interfaces))
@@ -84,13 +87,22 @@ in
 
   config = mkIf config.services.babeld.enable {
 
+    boot.kernel.sysctl = {
+      "net.ipv6.conf.all.forwarding" = 1;
+      "net.ipv6.conf.all.accept_redirects" = 0;
+      "net.ipv4.conf.all.forwarding" = 1;
+      "net.ipv4.conf.all.rp_filter" = 0;
+    } // lib.mapAttrs' (ifname: _: lib.nameValuePair "net.ipv4.conf.${ifname}.rp_filter" (lib.mkDefault 0)) config.services.babeld.interfaces;
+
     systemd.services.babeld = {
       description = "Babel routing daemon";
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
       serviceConfig = {
         ExecStart = "${pkgs.babeld}/bin/babeld -c ${configFile} -I /run/babeld/babeld.pid -S /var/lib/babeld/state";
+        AmbientCapabilities = [ "CAP_NET_ADMIN" ];
         CapabilityBoundingSet = [ "CAP_NET_ADMIN" ];
+        DynamicUser = true;
         IPAddressAllow = [ "fe80::/64" "ff00::/8" "::1/128" "127.0.0.0/8" ];
         IPAddressDeny = "any";
         LockPersonality = true;
@@ -98,7 +110,7 @@ in
         MemoryDenyWriteExecute = true;
         ProtectSystem = "strict";
         ProtectClock = true;
-        ProtectKernelTunables = false; # Couldn't write sysctl: Read-only file system
+        ProtectKernelTunables = true;
         ProtectKernelModules = true;
         ProtectKernelLogs = true;
         ProtectControlGroups = true;
diff --git a/nixos/tests/babeld.nix b/nixos/tests/babeld.nix
index 5817ea4ce142..d4df6f86d089 100644
--- a/nixos/tests/babeld.nix
+++ b/nixos/tests/babeld.nix
@@ -25,9 +25,6 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : {
       {
         virtualisation.vlans = [ 10 20 ];
 
-        boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = 1;
-        boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
-
         networking = {
           useDHCP = false;
           firewall.enable = false;
@@ -74,9 +71,6 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : {
       {
         virtualisation.vlans = [ 20 30 ];
 
-        boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = 1;
-        boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
-
         networking = {
           useDHCP = false;
           firewall.enable = false;
author	github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>	2021-04-25 06:05:34 +0000
committer	GitHub <noreply@github.com>	2021-04-25 06:05:34 +0000
commit	a956f62ea4ea5a9e5bd18e87b1ea362e583dbcad (patch)
tree	75387e5c123ed24cafeb1ed70aeec03ce9ed4236 /nixos
parent	0f1c4558d362a34cddea207acafff4596058af0b (diff)
parent	4b7ccb341881d1773f250c2a2e3fa6d5cab6d848 (diff)
download	nixlib-a956f62ea4ea5a9e5bd18e87b1ea362e583dbcad.tar nixlib-a956f62ea4ea5a9e5bd18e87b1ea362e583dbcad.tar.gz nixlib-a956f62ea4ea5a9e5bd18e87b1ea362e583dbcad.tar.bz2 nixlib-a956f62ea4ea5a9e5bd18e87b1ea362e583dbcad.tar.lz nixlib-a956f62ea4ea5a9e5bd18e87b1ea362e583dbcad.tar.xz nixlib-a956f62ea4ea5a9e5bd18e87b1ea362e583dbcad.tar.zst nixlib-a956f62ea4ea5a9e5bd18e87b1ea362e583dbcad.zip