nixos: additional hardening for dnscrypt-proxy

- Run as unprivileged user/group via systemd, obviating the need to specify capabilities, etc. - Run with private tmp and minimal device name space
2015-03-15 22:19:48 +01:00 · 2015-03-15 22:19:48 +01:00 · a88a6bc676
commit a88a6bc676
parent 823bb5dd4d
2 changed files with 22 additions and 28 deletions
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@ -376,7 +376,7 @@
      seeks = 148;
      prosody = 149;
      i2pd = 150;
-      #dnscrypt-proxy = 151; # unused
+      dnscrypt-proxy = 151;
      systemd-network = 152;
      systemd-resolve = 153;
      systemd-timesync = 154;
--- a/nixos/modules/services/networking/dnscrypt-proxy.nix
+++ b/nixos/modules/services/networking/dnscrypt-proxy.nix
@ -5,12 +5,11 @@ let
  apparmorEnabled = config.security.apparmor.enable;
  dnscrypt-proxy = pkgs.dnscrypt-proxy;
  cfg = config.services.dnscrypt-proxy;
-  uid = config.ids.uids.dnscrypt-proxy;
+  resolverListFile = "${dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv";
  daemonArgs =
-    [ "--user=dnscrypt-proxy"
+    [ "--local-address=${cfg.localAddress}:${toString cfg.port}"
      "--local-address=${cfg.localAddress}:${toString cfg.port}"
      (optionalString cfg.tcpOnly "--tcp-only")
-      "--resolvers-list=${dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv"
+      "--resolvers-list=${resolverListFile}"
      "--resolver-name=${cfg.resolverName}"
    ];
 in
@ -56,10 +55,10 @@ in
        default = "opendns";
        type = types.string;
        description = ''
-          The name of the upstream DNSCrypt resolver to use.
+          The name of the upstream DNSCrypt resolver to use. See
-          See <literal>${dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv</literal>
+          <literal>${resolverListFile}</literal> for alternative resolvers
-          for alternative resolvers (e.g., if you are concerned about logging
+          (e.g., if you are concerned about logging and/or server
-          and/or server location).
+          location).
        '';
      };
@ -88,17 +87,6 @@ in
      (pkgs.writeText "apparmor-dnscrypt-proxy" ''
        ${dnscrypt-proxy}/bin/dnscrypt-proxy {
          network inet stream,
          network inet6 stream,
          network inet dgram,
          network inet6 dgram,
          capability ipc_lock,
          capability net_bind_service,
          capability net_admin,
          capability sys_chroot,
          capability setgid,
          capability setuid,
          /dev/null rw,
          /dev/urandom r,
@ -110,26 +98,28 @@ in
          ${pkgs.glibc}/lib/*.so mr,
          ${pkgs.tzdata}/share/zoneinfo/** r,
-          ${dnscrypt-proxy}/share/dnscrypt-proxy/** r,
+          network inet stream,
          network inet6 stream,
          network inet dgram,
          network inet6 dgram,
          ${pkgs.gcc.cc}/lib/libssp.so.* mr,
          ${pkgs.libsodium}/lib/libsodium.so.* mr,
          ${pkgs.systemd}/lib/libsystemd.so.* mr,
          ${pkgs.xz}/lib/liblzma.so.* mr,
          ${pkgs.libgcrypt}/lib/libgcrypt.so.* mr,
          ${pkgs.libgpgerror}/lib/libgpg-error.so.* mr,
          ${resolverListFile} r,
        }
      '')
    ];
-    ### User
+    users.extraUsers.dnscrypt-proxy = {
-
+      uid = config.ids.uids.dnscrypt-proxy;
    users.extraUsers = singleton {
      inherit uid;
      name = "dnscrypt-proxy";
      description = "dnscrypt-proxy daemon user";
    };
-
+    users.extraGroups.dnscrypt-proxy.gid = config.ids.gids.dnscrypt-proxy;
    ### Service definition
    ## derived from upstream dnscrypt-proxy.socket
    systemd.sockets.dnscrypt-proxy = {
@ -153,6 +143,10 @@ in
        ## note: NonBlocking is required for socket activation to work
        NonBlocking = "true";
        ExecStart = "${dnscrypt-proxy}/bin/dnscrypt-proxy ${toString daemonArgs}";
        User = "dnscrypt-proxy";
        Group = "dnscrypt-proxy";
        PrivateTmp = true;
        PrivateDevices = true;
      };
    };