Merge #213: Fix systemd leak
6a8e29e016
tests: add dbus-hardening and hideProcessInformation (nixbitcoin)0248e6493f
systemd: lock down systemctl status (nixbitcoin) Pull request description: ACKs for top commit: jonasnick: ACK6a8e29e016
Tree-SHA512: 1ee8ce42f71e1a8977f5a84053b10f5f7f56da395d4f801447d2d344540640fc496ef0ff341cb32ca92ac064d43d04f118bf580c42d31022e6ed84815b8f72c6
This commit is contained in:
commit
272b8568e7
55
modules/dbus.nix
Normal file
55
modules/dbus.nix
Normal file
|
@ -0,0 +1,55 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
inherit (config) nix-bitcoin-services;
|
||||
dataDir = "/var/lib/dbus-hardening";
|
||||
# Mitigates a security issue that allows unprivileged users to read
|
||||
# other unprivileged user's processes' credentials from CGroup using
|
||||
# `systemctl status`.
|
||||
dbus-hardening = pkgs.writeText "dbus.conf" ''
|
||||
<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->
|
||||
|
||||
<!DOCTYPE busconfig PUBLIC
|
||||
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
|
||||
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
|
||||
|
||||
<busconfig>
|
||||
<policy user="root">
|
||||
<allow send_destination="org.freedesktop.systemd1"
|
||||
send_interface="org.freedesktop.systemd1.Manager"
|
||||
send_member="GetUnitProcesses"/>
|
||||
</policy>
|
||||
|
||||
<policy context="mandatory">
|
||||
<deny send_destination="org.freedesktop.systemd1"
|
||||
send_interface="org.freedesktop.systemd1.Manager"
|
||||
send_member="GetUnitProcesses"/>
|
||||
</policy>
|
||||
</busconfig>
|
||||
'';
|
||||
in {
|
||||
config = {
|
||||
systemd.tmpfiles.rules = [
|
||||
"d '${dataDir}/etc/dbus-1/system.d' 0770 messagebus messagebus - -"
|
||||
];
|
||||
|
||||
services.dbus.packages = [ "${dataDir}" ];
|
||||
|
||||
systemd.services.hardeneddbus = {
|
||||
description = "Install hardeneddbus";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
script = ''
|
||||
cp ${dbus-hardening} ${dataDir}/etc/dbus-1/system.d/dbus.conf
|
||||
chmod 640 ${dataDir}/etc/dbus-1/system.d/dbus.conf
|
||||
'';
|
||||
serviceConfig = nix-bitcoin-services.defaultHardening // {
|
||||
PrivateNetwork = "true";
|
||||
Type = "oneshot";
|
||||
User = "messagebus";
|
||||
ReadWritePaths = "${dataDir}";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -15,6 +15,7 @@
|
|||
./lnd.nix
|
||||
./secrets/secrets.nix
|
||||
./netns-isolation.nix
|
||||
./dbus.nix
|
||||
];
|
||||
|
||||
disabledModules = [ "services/networking/bitcoind.nix" ];
|
||||
|
|
|
@ -42,6 +42,9 @@ in {
|
|||
|
||||
networking.firewall.enable = true;
|
||||
|
||||
# hideProcessInformation even if hardened kernel profile is disabled
|
||||
security.hideProcessInformation = true;
|
||||
|
||||
# Tor
|
||||
services.tor = {
|
||||
enable = true;
|
||||
|
|
|
@ -51,6 +51,13 @@ assert_matches("curl -L localhost/store", "tshirt")
|
|||
machine.wait_until_succeeds(log_has_string("bitcoind-import-banlist", "Importing node banlist"))
|
||||
assert_no_failure("bitcoind-import-banlist")
|
||||
|
||||
# test that `systemctl status` can't leak credentials
|
||||
assert_matches(
|
||||
"sudo -u electrs systemctl status clightning 2>&1 >/dev/null",
|
||||
"Failed to dump process list for 'clightning.service', ignoring: Access denied",
|
||||
)
|
||||
machine.succeed("grep -Fq hidepid=2 /proc/mounts")
|
||||
|
||||
### Additional tests
|
||||
|
||||
# Current time in µs
|
||||
|
|
|
@ -113,6 +113,13 @@ assert_matches_exactly(
|
|||
# test that netns-exec can not be executed by users that are not operator
|
||||
machine.fail("sudo -u clightning netns-exec nb-bitcoind ip a")
|
||||
|
||||
# test that `systemctl status` can't leak credentials
|
||||
assert_matches(
|
||||
"sudo -u electrs systemctl status clightning 2>&1 >/dev/null",
|
||||
"Failed to dump process list for 'clightning.service', ignoring: Access denied",
|
||||
)
|
||||
machine.succeed("grep -Fq hidepid=2 /proc/mounts")
|
||||
|
||||
### Additional tests
|
||||
|
||||
# Current time in µs
|
||||
|
|
Loading…
Reference in New Issue
Block a user