pyrox.dev / nixpkgs
lol
fork atom

nixos/mosquitto: harden systemd unit

It can still network, it can only access the ssl related files if ssl is
enabled.

✗ PrivateNetwork= Service has access to the host's network 0.5
✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3
✗ DeviceAllow= Service has a device ACL with some special devices 0.1
✗ IPAddressDeny= Service does not define an IP address allow list 0.2
✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1
✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1

→ Overall exposure level for mosquitto.service: 1.1 OK 🙂

Martin Weinelt 33e86762 6aec5a24

options
unified split
Changed files
+43 -5
nixos
modules
services
networking
mosquitto.nix
tests
mosquitto.nix
+39 -4
nixos/modules/services/networking/mosquitto.nix 
···

       
233

       
233

       
 

       
        ExecStart = "${pkgs.mosquitto}/bin/mosquitto -c ${mosquittoConf}";


     

       
234

       
234

       
 

       
        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";


     

       
235

       
235

       
 

       



     

       
236

       

       
-

       
        ProtectSystem = "strict";


     

       
237

       

       
-

       
        ProtectHome = true;


     

       

       
236

       
+

       
        # Hardening


     

       

       
237

       
+

       
        CapabilityBoundingSet = "";


     

       

       
238

       
+

       
        DevicePolicy = "closed";


     

       

       
239

       
+

       
        LockPersonality = true;


     

       

       
240

       
+

       
        MemoryDenyWriteExecute = true;


     

       

       
241

       
+

       
        NoNewPrivileges = true;


     

       
238

       
242

       
 

       
        PrivateDevices = true;


     

       
239

       
243

       
 

       
        PrivateTmp = true;


     

       
240

       

       
-

       
        ReadWritePaths = "${cfg.dataDir}";


     

       

       
244

       
+

       
        PrivateUsers = true;


     

       

       
245

       
+

       
        ProtectClock = true;


     

       
241

       
246

       
 

       
        ProtectControlGroups = true;


     

       

       
247

       
+

       
        ProtectHome = true;


     

       

       
248

       
+

       
        ProtectHostname = true;


     

       

       
249

       
+

       
        ProtectKernelLogs = true;


     

       
242

       
250

       
 

       
        ProtectKernelModules = true;


     

       
243

       
251

       
 

       
        ProtectKernelTunables = true;


     

       
244

       

       
-

       
        NoNewPrivileges = true;


     

       

       
252

       
+

       
        ProtectProc = "invisible";


     

       

       
253

       
+

       
        ProcSubset = "pid";


     

       

       
254

       
+

       
        ProtectSystem = "strict";


     

       

       
255

       
+

       
        ReadWritePaths = [


     

       

       
256

       
+

       
          cfg.dataDir


     

       

       
257

       
+

       
          "/tmp"  # mosquitto_passwd creates files in /tmp before moving them


     

       

       
258

       
+

       
        ];


     

       

       
259

       
+

       
        ReadOnlyPaths = with cfg.ssl; lib.optionals (enable) [


     

       

       
260

       
+

       
          certfile


     

       

       
261

       
+

       
          keyfile


     

       

       
262

       
+

       
          cafile


     

       

       
263

       
+

       
        ];


     

       

       
264

       
+

       
        RemoveIPC = true;


     

       

       
265

       
+

       
        RestrictAddressFamilies = [


     

       

       
266

       
+

       
          "AF_UNIX"  # for sd_notify() call


     

       

       
267

       
+

       
          "AF_INET"


     

       

       
268

       
+

       
          "AF_INET6"


     

       

       
269

       
+

       
        ];


     

       

       
270

       
+

       
        RestrictNamespaces = true;


     

       

       
271

       
+

       
        RestrictRealtime = true;


     

       

       
272

       
+

       
        RestrictSUIDSGID = true;


     

       

       
273

       
+

       
        SystemCallArchitectures = "native";


     

       

       
274

       
+

       
        SystemCallFilter = [


     

       

       
275

       
+

       
          "@system-service"


     

       

       
276

       
+

       
          "~@privileged"


     

       

       
277

       
+

       
          "~@resources"


     

       

       
278

       
+

       
        ];


     

       

       
279

       
+

       
        UMask = "0077";


     

       
245

       
280

       
 

       
      };


     

       
246

       
281

       
 

       
      preStart = ''


     

       
247

       
282

       
 

       
        rm -f ${cfg.dataDir}/passwd
+4 -1
nixos/tests/mosquitto.nix 
···

       
1

       

       
-

       
import ./make-test-python.nix ({ pkgs, ... }:


     

       

       
1

       
+

       
import ./make-test-python.nix ({ pkgs, lib, ... }:


     

       
2

       
2

       
 

       



     

       
3

       
3

       
 

       
let


     

       
4

       
4

       
 

       
  port = 1888;


     
···

       
30

       
30

       
 

       
          ];


     

       
31

       
31

       
 

       
        };


     

       
32

       
32

       
 

       
      };


     

       

       
33

       
+

       



     

       

       
34

       
+

       
      # disable private /tmp for this test


     

       

       
35

       
+

       
      systemd.services.mosquitto.serviceConfig.PrivateTmp = lib.mkForce false;


     

       
33

       
36

       
 

       
    };


     

       
34

       
37

       
 

       



     

       
35

       
38

       
 

       
    client1 = client;