From 118f34172351a3cc30f930ed1de06a0f90a6bbb3 Mon Sep 17 00:00:00 2001
From: Philipp Bartsch <phil@grmr.de>
Date: Fri, 17 Jul 2020 00:30:51 +0200
Subject: [PATCH 1/3] nixos/opendkim: add systemd service sandbox

---
 nixos/modules/services/mail/opendkim.nix | 29 ++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/nixos/modules/services/mail/opendkim.nix b/nixos/modules/services/mail/opendkim.nix
index eb6a426684d..f4d856944ec 100644
--- a/nixos/modules/services/mail/opendkim.nix
+++ b/nixos/modules/services/mail/opendkim.nix
@@ -129,6 +129,35 @@ in {
         User = cfg.user;
         Group = cfg.group;
         RuntimeDirectory = optional (cfg.socket == defaultSock) "opendkim";
+        StateDirectory = "opendkim";
+        StateDirectoryMode = "0700";
+
+        AmbientCapabilities = [];
+        CapabilityBoundingSet = [];
+        DevicePolicy = "closed";
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateMounts = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6 AF_UNIX" ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [ "@system-service" "~@privileged @resources" ];
+        UMask = "0077";
       };
     };
 

From 47928442a850e93a740b7ab1149994c73e37dcaf Mon Sep 17 00:00:00 2001
From: Philipp Bartsch <phil@grmr.de>
Date: Sun, 23 Aug 2020 18:14:39 +0200
Subject: [PATCH 2/3] nixos/opendkim: add keyPath to ReadWritePaths

---
 nixos/modules/services/mail/opendkim.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nixos/modules/services/mail/opendkim.nix b/nixos/modules/services/mail/opendkim.nix
index f4d856944ec..9bf6f338d93 100644
--- a/nixos/modules/services/mail/opendkim.nix
+++ b/nixos/modules/services/mail/opendkim.nix
@@ -131,6 +131,7 @@ in {
         RuntimeDirectory = optional (cfg.socket == defaultSock) "opendkim";
         StateDirectory = "opendkim";
         StateDirectoryMode = "0700";
+        ReadWritePaths = [ cfg.keyPath ];
 
         AmbientCapabilities = [];
         CapabilityBoundingSet = [];

From c46dd4e2215134f055b0876b88a773aca8d357f0 Mon Sep 17 00:00:00 2001
From: Philipp Bartsch <phil@grmr.de>
Date: Thu, 3 Sep 2020 18:03:28 +0200
Subject: [PATCH 3/3] nixos/doc: add opendkim changes to release notes

---
 nixos/doc/manual/release-notes/rl-2009.xml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml
index c936ae946ad..b7202eab7a4 100644
--- a/nixos/doc/manual/release-notes/rl-2009.xml
+++ b/nixos/doc/manual/release-notes/rl-2009.xml
@@ -1054,6 +1054,12 @@ services.transmission.settings.rpc-bind-address = "0.0.0.0";
       removed, as it depends on libraries from deepin.
     </para>
    </listitem>
+   <listitem>
+     <para>
+       The <literal>opendkim</literal> module now uses systemd sandboxing features
+       to limit the exposure of the system towards the opendkim service.
+     </para>
+   </listitem>
   </itemizedlist>
  </section>
 </section>