diff options
author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2021-04-25 06:05:34 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-04-25 06:05:34 +0000 |
commit | a956f62ea4ea5a9e5bd18e87b1ea362e583dbcad (patch) | |
tree | 75387e5c123ed24cafeb1ed70aeec03ce9ed4236 /nixos | |
parent | 0f1c4558d362a34cddea207acafff4596058af0b (diff) | |
parent | 4b7ccb341881d1773f250c2a2e3fa6d5cab6d848 (diff) | |
download | nixlib-a956f62ea4ea5a9e5bd18e87b1ea362e583dbcad.tar nixlib-a956f62ea4ea5a9e5bd18e87b1ea362e583dbcad.tar.gz nixlib-a956f62ea4ea5a9e5bd18e87b1ea362e583dbcad.tar.bz2 nixlib-a956f62ea4ea5a9e5bd18e87b1ea362e583dbcad.tar.lz nixlib-a956f62ea4ea5a9e5bd18e87b1ea362e583dbcad.tar.xz nixlib-a956f62ea4ea5a9e5bd18e87b1ea362e583dbcad.tar.zst nixlib-a956f62ea4ea5a9e5bd18e87b1ea362e583dbcad.zip |
Merge master into staging-next
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2105.xml | 7 | ||||
-rw-r--r-- | nixos/modules/services/networking/babeld.nix | 16 | ||||
-rw-r--r-- | nixos/tests/babeld.nix | 6 |
3 files changed, 21 insertions, 8 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2105.xml b/nixos/doc/manual/release-notes/rl-2105.xml index e0552c25a856..5fbef88c4a5c 100644 --- a/nixos/doc/manual/release-notes/rl-2105.xml +++ b/nixos/doc/manual/release-notes/rl-2105.xml @@ -680,6 +680,13 @@ environment.systemPackages = [ All CUDA toolkit versions prior to CUDA 10 have been removed. </para> </listitem> + <listitem> + <para> + The <package>babeld</package> service is now being run as an unprivileged user. To achieve that the module configures + <literal>skip-kernel-setup true</literal> and takes care of setting forwarding and rp_filter sysctls by itself as well + as for each interface in <varname>services.babeld.interfaces</varname>. + </para> + </listitem> </itemizedlist> </section> diff --git a/nixos/modules/services/networking/babeld.nix b/nixos/modules/services/networking/babeld.nix index e16e56121c4c..97dca002a007 100644 --- a/nixos/modules/services/networking/babeld.nix +++ b/nixos/modules/services/networking/babeld.nix @@ -19,7 +19,10 @@ let "interface ${name} ${paramsString interface}\n"; configFile = with cfg; pkgs.writeText "babeld.conf" ( - (optionalString (cfg.interfaceDefaults != null) '' + '' + skip-kernel-setup true + '' + + (optionalString (cfg.interfaceDefaults != null) '' default ${paramsString cfg.interfaceDefaults} '') + (concatMapStrings interfaceConfig (attrNames cfg.interfaces)) @@ -84,13 +87,22 @@ in config = mkIf config.services.babeld.enable { + boot.kernel.sysctl = { + "net.ipv6.conf.all.forwarding" = 1; + "net.ipv6.conf.all.accept_redirects" = 0; + "net.ipv4.conf.all.forwarding" = 1; + "net.ipv4.conf.all.rp_filter" = 0; + } // lib.mapAttrs' (ifname: _: lib.nameValuePair "net.ipv4.conf.${ifname}.rp_filter" (lib.mkDefault 0)) config.services.babeld.interfaces; + systemd.services.babeld = { description = "Babel routing daemon"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { ExecStart = "${pkgs.babeld}/bin/babeld -c ${configFile} -I /run/babeld/babeld.pid -S /var/lib/babeld/state"; + AmbientCapabilities = [ "CAP_NET_ADMIN" ]; CapabilityBoundingSet = [ "CAP_NET_ADMIN" ]; + DynamicUser = true; IPAddressAllow = [ "fe80::/64" "ff00::/8" "::1/128" "127.0.0.0/8" ]; IPAddressDeny = "any"; LockPersonality = true; @@ -98,7 +110,7 @@ in MemoryDenyWriteExecute = true; ProtectSystem = "strict"; ProtectClock = true; - ProtectKernelTunables = false; # Couldn't write sysctl: Read-only file system + ProtectKernelTunables = true; ProtectKernelModules = true; ProtectKernelLogs = true; ProtectControlGroups = true; diff --git a/nixos/tests/babeld.nix b/nixos/tests/babeld.nix index 5817ea4ce142..d4df6f86d089 100644 --- a/nixos/tests/babeld.nix +++ b/nixos/tests/babeld.nix @@ -25,9 +25,6 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : { { virtualisation.vlans = [ 10 20 ]; - boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = 1; - boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1; - networking = { useDHCP = false; firewall.enable = false; @@ -74,9 +71,6 @@ import ./make-test-python.nix ({ pkgs, lib, ...} : { { virtualisation.vlans = [ 20 30 ]; - boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = 1; - boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1; - networking = { useDHCP = false; firewall.enable = false; |