From 7443d9dfd4d18f0307ca9f9ff3ba0eb36b2af2bd Mon Sep 17 00:00:00 2001 From: Izorkin Date: Mon, 9 Dec 2019 21:03:48 +0300 Subject: [PATCH] nixos/unit: enable sanboxing --- .../services/web-servers/unit/default.nix | 26 +++++++++++++++---- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/nixos/modules/services/web-servers/unit/default.nix b/nixos/modules/services/web-servers/unit/default.nix index 32f6d475b34..2c5639b99f9 100644 --- a/nixos/modules/services/web-servers/unit/default.nix +++ b/nixos/modules/services/web-servers/unit/default.nix @@ -85,7 +85,7 @@ in { systemd.tmpfiles.rules = [ "d '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -" "d '${cfg.logDir}' 0750 ${cfg.user} ${cfg.group} - -" - ]; + ]; systemd.services.unit = { description = "Unit App Server"; @@ -99,17 +99,33 @@ in { curl -X PUT --data-binary '@${configFile}' --unix-socket '/run/unit/control.unit.sock' 'http://localhost/config' ''; serviceConfig = { - User = cfg.user; - Group = cfg.group; - AmbientCapabilities = "CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID"; - CapabilityBoundingSet = "CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID"; ExecStart = '' ${cfg.package}/bin/unitd --control 'unix:/run/unit/control.unit.sock' --pid '/run/unit/unit.pid' \ --log '${cfg.logDir}/unit.log' --state '${cfg.stateDir}' --no-daemon \ --user ${cfg.user} --group ${cfg.group} ''; + # User and group + User = cfg.user; + Group = cfg.group; + # Capabilities + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ]; + # Security + NoNewPrivileges = true; + # Sanboxing + ProtectSystem = "full"; + ProtectHome = true; RuntimeDirectory = "unit"; RuntimeDirectoryMode = "0750"; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + PrivateMounts = true; }; };