nixos/nginx: update hardening settings

- Set an explicit umask that allows u+rwx and g+r. - Adds `ProtectControlGroups` and `ProtectKernelLogs`, there should be no need to access either. - Adds `ProtectClock` to prevent write-access to the system clock. - `ProtectProc` hides processes from other users within the /proc filesystem and `ProcSubSet` hides all files/directories unrelated to the process management of the units process. - Sets `RemoveIPC`, as there is no SysV or POSIX IPC within nginx that I know of. - Restricts the creation of arbitrary namespaces - Adds a reasonable `SystemCallFilter` preventing calls to @privileged, @obsolete and others. And finally applies some sorting based on the order these options appear in systemd.exec(5).
2021-04-30 03:23:55 +02:00 · 2021-04-30 03:23:55 +02:00 · 506bc7ba02
parent dbcbb7ec48
commit 506bc7ba02
1 changed files with 11 additions and 1 deletions
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@ -819,28 +819,38 @@ in
        # Logs directory and mode
        LogsDirectory = "nginx";
        LogsDirectoryMode = "0750";
+        # Proc filesystem
+        ProcSubset = "pid";
+        ProtectProc = "invisible";
+        # New file permissions
+        UMask = "0027"; # 0640 / 0750
        # Capabilities
        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ];
        CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ];
        # Security
        NoNewPrivileges = true;
-        # Sandboxing
+        # Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html)
        ProtectSystem = "strict";
        ProtectHome = mkDefault true;
        PrivateTmp = true;
        PrivateDevices = true;
        ProtectHostname = true;
+        ProtectClock = true;
        ProtectKernelTunables = true;
        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
        ProtectControlGroups = true;
        RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
+        RestrictNamespaces = true;
        LockPersonality = true;
        MemoryDenyWriteExecute = !(builtins.any (mod: (mod.allowMemoryWriteExecute or false)) cfg.package.modules);
        RestrictRealtime = true;
        RestrictSUIDSGID = true;
+        RemoveIPC = true;
        PrivateMounts = true;
        # System Call Filtering
        SystemCallArchitectures = "native";
+        SystemCallFilter = "~@chown @cpu-emulation @debug @keyring @ipc @module @mount @obsolete @privileged @raw-io @reboot @setuid @swap";
      };
    };