pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #133098 from erdnaxe/nitter-hardening

nixos/nitter: systemd unit hardening

Guillaume Girol 25b4e3c7 5af1b2fd

options
unified split
Changed files
+34 -2
nixos
modules
services
misc
nitter.nix
tests
nitter.nix
pkgs
servers
nitter
default.nix
+25
nixos/modules/services/misc/nitter.nix 
···

       
312

       
312

       
 

       
          AmbientCapabilities = lib.mkIf (cfg.server.port < 1024) [ "CAP_NET_BIND_SERVICE" ];


     

       
313

       
313

       
 

       
          Restart = "on-failure";


     

       
314

       
314

       
 

       
          RestartSec = "5s";


     

       

       
315

       
+

       
          # Hardening


     

       

       
316

       
+

       
          CapabilityBoundingSet = if (cfg.server.port < 1024) then [ "CAP_NET_BIND_SERVICE" ] else [ "" ];


     

       

       
317

       
+

       
          DeviceAllow = [ "" ];


     

       

       
318

       
+

       
          LockPersonality = true;


     

       

       
319

       
+

       
          MemoryDenyWriteExecute = true;


     

       

       
320

       
+

       
          PrivateDevices = true;


     

       

       
321

       
+

       
          # A private user cannot have process capabilities on the host's user


     

       

       
322

       
+

       
          # namespace and thus CAP_NET_BIND_SERVICE has no effect.


     

       

       
323

       
+

       
          PrivateUsers = (cfg.server.port >= 1024);


     

       

       
324

       
+

       
          ProcSubset = "pid";


     

       

       
325

       
+

       
          ProtectClock = true;


     

       

       
326

       
+

       
          ProtectControlGroups = true;


     

       

       
327

       
+

       
          ProtectHome = true;


     

       

       
328

       
+

       
          ProtectHostname = true;


     

       

       
329

       
+

       
          ProtectKernelLogs = true;


     

       

       
330

       
+

       
          ProtectKernelModules = true;


     

       

       
331

       
+

       
          ProtectKernelTunables = true;


     

       

       
332

       
+

       
          ProtectProc = "invisible";


     

       

       
333

       
+

       
          RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];


     

       

       
334

       
+

       
          RestrictNamespaces = true;


     

       

       
335

       
+

       
          RestrictRealtime = true;


     

       

       
336

       
+

       
          RestrictSUIDSGID = true;


     

       

       
337

       
+

       
          SystemCallArchitectures = "native";


     

       

       
338

       
+

       
          SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];


     

       

       
339

       
+

       
          UMask = "0077";


     

       
315

       
340

       
 

       
        };


     

       
316

       
341

       
 

       
    };


     

       
317

       
342
+4 -2
nixos/tests/nitter.nix 
···

       
6

       
6

       
 

       



     

       
7

       
7

       
 

       
  nodes.machine = {


     

       
8

       
8

       
 

       
    services.nitter.enable = true;


     

       

       
9

       
+

       
    # Test CAP_NET_BIND_SERVICE


     

       

       
10

       
+

       
    services.nitter.server.port = 80;


     

       
9

       
11

       
 

       
  };


     

       
10

       
12

       
 

       



     

       
11

       
13

       
 

       
  testScript = ''


     

       
12

       
14

       
 

       
    machine.wait_for_unit("nitter.service")


     

       
13

       

       
-

       
    machine.wait_for_open_port("8080")


     

       
14

       

       
-

       
    machine.succeed("curl --fail http://localhost:8080/")


     

       

       
15

       
+

       
    machine.wait_for_open_port("80")


     

       

       
16

       
+

       
    machine.succeed("curl --fail http://localhost:80/")


     

       
15

       
17

       
 

       
  '';


     

       
16

       
18

       
 

       
})
+5
pkgs/servers/nitter/default.nix 
···

       
1

       
1

       
 

       
{ lib


     

       
2

       
2

       
 

       
, stdenv


     

       

       
3

       
+

       
, nixosTests


     

       
3

       
4

       
 

       
, fetchFromGitHub


     

       
4

       
5

       
 

       
, nim


     

       
5

       
6

       
 

       
, libsass


     
···

       
119

       
120

       
 

       
    cp -r public $out/share/nitter/public


     

       
120

       
121

       
 

       
    runHook postInstall


     

       
121

       
122

       
 

       
  '';


     

       

       
123

       
+

       



     

       

       
124

       
+

       
  passthru.tests = {


     

       

       
125

       
+

       
    inherit (nixosTests) nitter;


     

       

       
126

       
+

       
  };


     

       
122

       
127

       
 

       



     

       
123

       
128

       
 

       
  meta = with lib; {


     

       
124

       
129

       
 

       
    description = "Alternative Twitter front-end";