public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/babeld: run as DynamicUser

Browse Source 
The last bits to prevent babeld from running unprivileged was its
kernel_setup_interface routine, that wants to set per interface
rp_filter. This behaviour has been disabled in a patch that has been
submitted upstream at https://github.com/jech/babeld/pull/68 and reuses
the skip-kernel-setup config option.

→ Overall exposure level for babeld.service: 1.7 OK 🙂
This commit is contained in:
Martin Weinelt 2020-11-24 22:41:21 +01:00
parent 70c96f0e02
commit e8988f7a30
2 changed files with 21 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
nixos/doc/manual/release-notes/rl-2105.xml
View File

@ -680,6 +680,13 @@ environment.systemPackages = [
All CUDA toolkit versions prior to CUDA 10 have been removed. All CUDA toolkit versions prior to CUDA 10 have been removed.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
The <package>babeld</package> service is now being run as an unprivileged user. To achieve that the module configures
<literal>skip-kernel-setup true</literal> and takes care of setting forwarding and rp_filter sysctls by itself as well
as for each interface in <varname>services.babeld.interfaces</varname>.
</para>
</listitem>
</itemizedlist> </itemizedlist>
</section> </section>

16
nixos/modules/services/networking/babeld.nix
View File

@ -19,7 +19,10 @@ let
"interface ${name} ${paramsString interface}\n"; "interface ${name} ${paramsString interface}\n";
configFile = with cfg; pkgs.writeText "babeld.conf" ( configFile = with cfg; pkgs.writeText "babeld.conf" (
(optionalString (cfg.interfaceDefaults != null) '' ''
skip-kernel-setup true
''
+ (optionalString (cfg.interfaceDefaults != null) ''
default ${paramsString cfg.interfaceDefaults} default ${paramsString cfg.interfaceDefaults}
'') '')
+ (concatMapStrings interfaceConfig (attrNames cfg.interfaces)) + (concatMapStrings interfaceConfig (attrNames cfg.interfaces))
@ -84,13 +87,22 @@ in
config = mkIf config.services.babeld.enable { config = mkIf config.services.babeld.enable {
boot.kernel.sysctl = {
"net.ipv6.conf.all.forwarding" = 1;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv4.conf.all.forwarding" = 1;
"net.ipv4.conf.all.rp_filter" = 0;
} // lib.mapAttrs' (ifname: _: lib.nameValuePair "net.ipv4.conf.${ifname}.rp_filter" (lib.mkDefault 0)) config.services.babeld.interfaces;
systemd.services.babeld = { systemd.services.babeld = {
description = "Babel routing daemon"; description = "Babel routing daemon";
after = [ "network.target" ]; after = [ "network.target" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
serviceConfig = { serviceConfig = {
ExecStart = "${pkgs.babeld}/bin/babeld -c ${configFile} -I /run/babeld/babeld.pid -S /var/lib/babeld/state"; ExecStart = "${pkgs.babeld}/bin/babeld -c ${configFile} -I /run/babeld/babeld.pid -S /var/lib/babeld/state";
AmbientCapabilities = [ "CAP_NET_ADMIN" ];
CapabilityBoundingSet = [ "CAP_NET_ADMIN" ]; CapabilityBoundingSet = [ "CAP_NET_ADMIN" ];
DynamicUser = true;
IPAddressAllow = [ "fe80::/64" "ff00::/8" "::1/128" "127.0.0.0/8" ]; IPAddressAllow = [ "fe80::/64" "ff00::/8" "::1/128" "127.0.0.0/8" ];
IPAddressDeny = "any"; IPAddressDeny = "any";
LockPersonality = true; LockPersonality = true;
@ -98,7 +110,7 @@ in
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
ProtectSystem = "strict"; ProtectSystem = "strict";
ProtectClock = true; ProtectClock = true;
ProtectKernelTunables = false; # Couldn't write sysctl: Read-only file system ProtectKernelTunables = true;
ProtectKernelModules = true; ProtectKernelModules = true;
ProtectKernelLogs = true; ProtectKernelLogs = true;
ProtectControlGroups = true; ProtectControlGroups = true;