pyrox.dev / nixpkgs
lol
fork atom

nixos/echoip: improve systemd hardening (#387466)

Sandro 1289c914 86f44b00

options
unified split
Changed files
+37 -31
nixos
modules
services
web-apps
echoip.nix
tests
all-tests.nix
echoip.nix
+13 -6
nixos/modules/services/web-apps/echoip.nix 
···

       
75

       
75

       
 

       
        );


     

       
76

       
76

       
 

       



     

       
77

       
77

       
 

       
        # Hardening


     

       

       
78

       
+

       
        AmbientCapabilities = "";


     

       
78

       
79

       
 

       
        CapabilityBoundingSet = [ "" ];


     

       
79

       

       
-

       
        DeviceAllow = [ "" ];


     

       

       
80

       
+

       
        DevicePolicy = "closed";


     

       
80

       
81

       
 

       
        LockPersonality = true;


     

       

       
82

       
+

       
        MemoryDenyWriteExecute = true;


     

       

       
83

       
+

       
        NoNewPrivileges = true;


     

       
81

       
84

       
 

       
        PrivateDevices = true;


     

       
82

       
85

       
 

       
        PrivateTmp = true;


     

       
83

       
86

       
 

       
        PrivateUsers = true;


     
···

       
91

       
94

       
 

       
        ProtectKernelTunables = true;


     

       
92

       
95

       
 

       
        ProtectProc = "invisible";


     

       
93

       
96

       
 

       
        ProtectSystem = "strict";


     

       
94

       

       
-

       
        RestrictAddressFamilies = [


     

       
95

       

       
-

       
          "AF_INET"


     

       
96

       

       
-

       
          "AF_INET6"


     

       
97

       

       
-

       
          "AF_UNIX"


     

       
98

       

       
-

       
        ];


     

       

       
97

       
+

       
        RemoveIPC = true;


     

       

       
98

       
+

       
        RestrictAddressFamilies = [ "AF_INET AF_INET6 AF_UNIX" ];


     

       
99

       
99

       
 

       
        RestrictNamespaces = true;


     

       
100

       
100

       
 

       
        RestrictRealtime = true;


     

       
101

       
101

       
 

       
        RestrictSUIDSGID = true;


     

       
102

       
102

       
 

       
        SystemCallArchitectures = "native";


     

       

       
103

       
+

       
        SystemCallFilter = [


     

       

       
104

       
+

       
          "@system-service"


     

       

       
105

       
+

       
          "~@privileged"


     

       

       
106

       
+

       
          "~@resources"


     

       

       
107

       
+

       
          "setrlimit"


     

       

       
108

       
+

       
        ];


     

       

       
109

       
+

       
        UMask = "0077";


     

       
103

       
110

       
 

       
      };


     

       
104

       
111

       
 

       
    };


     

       
105

       
112
+1 -1
nixos/tests/all-tests.nix 
···

       
353

       
353

       
 

       
  early-mount-options = handleTest ./early-mount-options.nix {};


     

       
354

       
354

       
 

       
  ec2-config = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-config or {};


     

       
355

       
355

       
 

       
  ec2-nixops = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-nixops or {};


     

       
356

       

       
-

       
  echoip = handleTest ./echoip.nix {};


     

       

       
356

       
+

       
  echoip = runTest ./echoip.nix;


     

       
357

       
357

       
 

       
  ecryptfs = handleTest ./ecryptfs.nix {};


     

       
358

       
358

       
 

       
  fscrypt = handleTest ./fscrypt.nix {};


     

       
359

       
359

       
 

       
  fastnetmon-advanced = runTest ./fastnetmon-advanced.nix;
+23 -24
nixos/tests/echoip.nix 
···

       
1

       

       
-

       
import ./make-test-python.nix (


     

       
2

       

       
-

       
  { lib, ... }:


     

       
3

       

       
-

       
  {


     

       
4

       

       
-

       
    name = "echoip";


     

       
5

       

       
-

       
    meta.maintainers = with lib.maintainers; [ defelo ];


     

       

       
1

       
+

       
{ lib, ... }:


     

       
6

       
2

       
 

       



     

       
7

       

       
-

       
    nodes.machine = {


     

       
8

       

       
-

       
      services.echoip = {


     

       
9

       

       
-

       
        enable = true;


     

       
10

       

       
-

       
        virtualHost = "echoip.local";


     

       
11

       

       
-

       
      };


     

       

       
3

       
+

       
{


     

       

       
4

       
+

       
  name = "echoip";


     

       

       
5

       
+

       
  meta.maintainers = with lib.maintainers; [ defelo ];


     

       
12

       
6

       
 

       



     

       
13

       

       
-

       
      networking.hosts = {


     

       
14

       

       
-

       
        "127.0.0.1" = [ "echoip.local" ];


     

       
15

       

       
-

       
        "::1" = [ "echoip.local" ];


     

       
16

       

       
-

       
      };


     

       

       
7

       
+

       
  nodes.machine = {


     

       

       
8

       
+

       
    services.echoip = {


     

       

       
9

       
+

       
      enable = true;


     

       

       
10

       
+

       
      virtualHost = "echoip.local";


     

       

       
11

       
+

       
    };


     

       

       
12

       
+

       



     

       

       
13

       
+

       
    networking.hosts = {


     

       

       
14

       
+

       
      "127.0.0.1" = [ "echoip.local" ];


     

       

       
15

       
+

       
      "::1" = [ "echoip.local" ];


     

       
17

       
16

       
 

       
    };


     

       

       
17

       
+

       
  };


     

       
18

       
18

       
 

       



     

       
19

       

       
-

       
    testScript = ''


     

       
20

       

       
-

       
      machine.wait_for_unit("echoip.service")


     

       
21

       

       
-

       
      machine.wait_for_open_port(8080)


     

       

       
19

       
+

       
  testScript = ''


     

       

       
20

       
+

       
    machine.wait_for_unit("echoip.service")


     

       

       
21

       
+

       
    machine.wait_for_open_port(8080)


     

       
22

       
22

       
 

       



     

       
23

       

       
-

       
      resp = machine.succeed("curl -4 http://echoip.local/ip")


     

       
24

       

       
-

       
      assert resp.strip() == "127.0.0.1"


     

       
25

       

       
-

       
      resp = machine.succeed("curl -6 http://echoip.local/ip")


     

       
26

       

       
-

       
      assert resp.strip() == "::1"


     

       
27

       

       
-

       
    '';


     

       
28

       

       
-

       
  }


     

       
29

       

       
-

       
)


     

       

       
23

       
+

       
    resp = machine.succeed("curl -4 http://echoip.local/ip")


     

       

       
24

       
+

       
    assert resp.strip() == "127.0.0.1"


     

       

       
25

       
+

       
    resp = machine.succeed("curl -6 http://echoip.local/ip")


     

       

       
26

       
+

       
    assert resp.strip() == "::1"


     

       

       
27

       
+

       
  '';


     

       

       
28

       
+

       
}