diff options
author | Martin Weinelt <hexa@darmstadt.ccc.de> | 2020-11-24 22:41:21 +0100 |
---|---|---|
committer | Martin Weinelt <hexa@darmstadt.ccc.de> | 2021-04-25 00:54:52 +0200 |
commit | e8988f7a30ba6e4a55c06673a8b672b75bb25d76 (patch) | |
tree | 3c5d4019607c890a92992e751112404b98787b60 /nixos | |
parent | 70c96f0e02dcfdc559da4bc699c751d9fb1b2dab (diff) | |
download | nixlib-e8988f7a30ba6e4a55c06673a8b672b75bb25d76.tar nixlib-e8988f7a30ba6e4a55c06673a8b672b75bb25d76.tar.gz nixlib-e8988f7a30ba6e4a55c06673a8b672b75bb25d76.tar.bz2 nixlib-e8988f7a30ba6e4a55c06673a8b672b75bb25d76.tar.lz nixlib-e8988f7a30ba6e4a55c06673a8b672b75bb25d76.tar.xz nixlib-e8988f7a30ba6e4a55c06673a8b672b75bb25d76.tar.zst nixlib-e8988f7a30ba6e4a55c06673a8b672b75bb25d76.zip |
nixos/babeld: run as DynamicUser
The last bits to prevent babeld from running unprivileged was its kernel_setup_interface routine, that wants to set per interface rp_filter. This behaviour has been disabled in a patch that has been submitted upstream at https://github.com/jech/babeld/pull/68 and reuses the skip-kernel-setup config option. → Overall exposure level for babeld.service: 1.7 OK 🙂
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2105.xml | 7 | ||||
-rw-r--r-- | nixos/modules/services/networking/babeld.nix | 16 |
2 files changed, 21 insertions, 2 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2105.xml b/nixos/doc/manual/release-notes/rl-2105.xml index e0552c25a856..5fbef88c4a5c 100644 --- a/nixos/doc/manual/release-notes/rl-2105.xml +++ b/nixos/doc/manual/release-notes/rl-2105.xml @@ -680,6 +680,13 @@ environment.systemPackages = [ All CUDA toolkit versions prior to CUDA 10 have been removed. </para> </listitem> + <listitem> + <para> + The <package>babeld</package> service is now being run as an unprivileged user. To achieve that the module configures + <literal>skip-kernel-setup true</literal> and takes care of setting forwarding and rp_filter sysctls by itself as well + as for each interface in <varname>services.babeld.interfaces</varname>. + </para> + </listitem> </itemizedlist> </section> diff --git a/nixos/modules/services/networking/babeld.nix b/nixos/modules/services/networking/babeld.nix index e16e56121c4c..97dca002a007 100644 --- a/nixos/modules/services/networking/babeld.nix +++ b/nixos/modules/services/networking/babeld.nix @@ -19,7 +19,10 @@ let "interface ${name} ${paramsString interface}\n"; configFile = with cfg; pkgs.writeText "babeld.conf" ( - (optionalString (cfg.interfaceDefaults != null) '' + '' + skip-kernel-setup true + '' + + (optionalString (cfg.interfaceDefaults != null) '' default ${paramsString cfg.interfaceDefaults} '') + (concatMapStrings interfaceConfig (attrNames cfg.interfaces)) @@ -84,13 +87,22 @@ in config = mkIf config.services.babeld.enable { + boot.kernel.sysctl = { + "net.ipv6.conf.all.forwarding" = 1; + "net.ipv6.conf.all.accept_redirects" = 0; + "net.ipv4.conf.all.forwarding" = 1; + "net.ipv4.conf.all.rp_filter" = 0; + } // lib.mapAttrs' (ifname: _: lib.nameValuePair "net.ipv4.conf.${ifname}.rp_filter" (lib.mkDefault 0)) config.services.babeld.interfaces; + systemd.services.babeld = { description = "Babel routing daemon"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { ExecStart = "${pkgs.babeld}/bin/babeld -c ${configFile} -I /run/babeld/babeld.pid -S /var/lib/babeld/state"; + AmbientCapabilities = [ "CAP_NET_ADMIN" ]; CapabilityBoundingSet = [ "CAP_NET_ADMIN" ]; + DynamicUser = true; IPAddressAllow = [ "fe80::/64" "ff00::/8" "::1/128" "127.0.0.0/8" ]; IPAddressDeny = "any"; LockPersonality = true; @@ -98,7 +110,7 @@ in MemoryDenyWriteExecute = true; ProtectSystem = "strict"; ProtectClock = true; - ProtectKernelTunables = false; # Couldn't write sysctl: Read-only file system + ProtectKernelTunables = true; ProtectKernelModules = true; ProtectKernelLogs = true; ProtectControlGroups = true; |