public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/confinement: Explicitly set serviceConfig

Browse Source 
My implementation was relying on PrivateDevices, PrivateTmp,
PrivateUsers and others to be false by default if chroot-only mode is
used.

However there is an ongoing effort[1] to change these defaults, which
then will actually increase the attack surface in chroot-only mode,
because it is expected that there is no /dev, /sys or /proc.

If for example PrivateDevices is enabled by default, there suddenly will
be a mounted /dev in the chroot and we wouldn't detect it.

Fortunately, our tests cover that, but I'm preparing for this anyway so
that we have a smoother transition without the need to fix our
implementation again.

Thanks to @Infinisil for the heads-up.

[1]: https://github.com/NixOS/nixpkgs/issues/14645

Signed-off-by: aszlig <aszlig@nix.build>
This commit is contained in:
aszlig 2019-03-15 04:13:01 +01:00
parent 9e9af4f9c0
commit d13ad389b4
No known key found for this signature in database
GPG Key ID: 684089CE67EBB691
1 changed files with 20 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
nixos/modules/security/systemd-confinement.nix
View File

@ -106,19 +106,31 @@ in {
config = let config = let
rootName = "${mkPathSafeName name}-chroot"; rootName = "${mkPathSafeName name}-chroot";
inherit (config.confinement) binSh fullUnit; inherit (config.confinement) binSh fullUnit;
wantsAPIVFS = lib.mkDefault (config.confinement.mode == "full-apivfs");
in lib.mkIf config.confinement.enable { in lib.mkIf config.confinement.enable {
serviceConfig = { serviceConfig = {
RootDirectory = pkgs.runCommand rootName {} "mkdir \"$out\""; RootDirectory = pkgs.runCommand rootName {} "mkdir \"$out\"";
TemporaryFileSystem = "/"; TemporaryFileSystem = "/";
MountFlags = lib.mkDefault "private"; MountFlags = lib.mkDefault "private";
} // lib.optionalAttrs (config.confinement.mode == "full-apivfs") {
MountAPIVFS = true; # https://github.com/NixOS/nixpkgs/issues/14645 is a future attempt
PrivateDevices = true; # to change some of these to default to true.
PrivateTmp = true; #
PrivateUsers = true; # If we run in chroot-only mode, having something like PrivateDevices
ProtectControlGroups = true; # set to true by default will mount /dev within the chroot, whereas
ProtectKernelModules = true; # with "chroot-only" it's expected that there are no /dev, /proc and
ProtectKernelTunables = true; # /sys file systems available.
#
# However, if this suddenly becomes true, the attack surface will
# increase, so let's explicitly set these options to true/false
# depending on the mode.
MountAPIVFS = wantsAPIVFS;
PrivateDevices = wantsAPIVFS;
PrivateTmp = wantsAPIVFS;
PrivateUsers = wantsAPIVFS;
ProtectControlGroups = wantsAPIVFS;
ProtectKernelModules = wantsAPIVFS;
ProtectKernelTunables = wantsAPIVFS;
}; };
confinement.packages = let confinement.packages = let
startOnly = config.serviceConfig.RootDirectoryStartOnly or false; startOnly = config.serviceConfig.RootDirectoryStartOnly or false;