nixos/babeld: run as DynamicUser
The last bits to prevent babeld from running unprivileged was its kernel_setup_interface routine, that wants to set per interface rp_filter. This behaviour has been disabled in a patch that has been submitted upstream at https://github.com/jech/babeld/pull/68 and reuses the skip-kernel-setup config option. → Overall exposure level for babeld.service: 1.7 OK 🙂
This commit is contained in:
parent
70c96f0e02
commit
e8988f7a30
|
@ -680,6 +680,13 @@ environment.systemPackages = [
|
|||
All CUDA toolkit versions prior to CUDA 10 have been removed.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The <package>babeld</package> service is now being run as an unprivileged user. To achieve that the module configures
|
||||
<literal>skip-kernel-setup true</literal> and takes care of setting forwarding and rp_filter sysctls by itself as well
|
||||
as for each interface in <varname>services.babeld.interfaces</varname>.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
|
|
|
@ -19,7 +19,10 @@ let
|
|||
"interface ${name} ${paramsString interface}\n";
|
||||
|
||||
configFile = with cfg; pkgs.writeText "babeld.conf" (
|
||||
(optionalString (cfg.interfaceDefaults != null) ''
|
||||
''
|
||||
skip-kernel-setup true
|
||||
''
|
||||
+ (optionalString (cfg.interfaceDefaults != null) ''
|
||||
default ${paramsString cfg.interfaceDefaults}
|
||||
'')
|
||||
+ (concatMapStrings interfaceConfig (attrNames cfg.interfaces))
|
||||
|
@ -84,13 +87,22 @@ in
|
|||
|
||||
config = mkIf config.services.babeld.enable {
|
||||
|
||||
boot.kernel.sysctl = {
|
||||
"net.ipv6.conf.all.forwarding" = 1;
|
||||
"net.ipv6.conf.all.accept_redirects" = 0;
|
||||
"net.ipv4.conf.all.forwarding" = 1;
|
||||
"net.ipv4.conf.all.rp_filter" = 0;
|
||||
} // lib.mapAttrs' (ifname: _: lib.nameValuePair "net.ipv4.conf.${ifname}.rp_filter" (lib.mkDefault 0)) config.services.babeld.interfaces;
|
||||
|
||||
systemd.services.babeld = {
|
||||
description = "Babel routing daemon";
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.babeld}/bin/babeld -c ${configFile} -I /run/babeld/babeld.pid -S /var/lib/babeld/state";
|
||||
AmbientCapabilities = [ "CAP_NET_ADMIN" ];
|
||||
CapabilityBoundingSet = [ "CAP_NET_ADMIN" ];
|
||||
DynamicUser = true;
|
||||
IPAddressAllow = [ "fe80::/64" "ff00::/8" "::1/128" "127.0.0.0/8" ];
|
||||
IPAddressDeny = "any";
|
||||
LockPersonality = true;
|
||||
|
@ -98,7 +110,7 @@ in
|
|||
MemoryDenyWriteExecute = true;
|
||||
ProtectSystem = "strict";
|
||||
ProtectClock = true;
|
||||
ProtectKernelTunables = false; # Couldn't write sysctl: Read-only file system
|
||||
ProtectKernelTunables = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectControlGroups = true;
|
||||
|
|
Loading…
Reference in New Issue