security: simplify and fix dbus configuration
Previously, due to the dependency on a helper service, this dbus config was initially inactive after system boot, allowing for unrestricted use of the problematic dbus call. This also broke the accompanying VM test on faster systems. Remove 'allow' policy for root because it's a no-op: 1. It's overridden by the 'mandatory' deny policy. 2. Root can use all dbus calls anyways, regardless of policy settings. Also, add some comments.
This commit is contained in:
parent
343e026030
commit
96ea2e671c
|
@ -1,55 +1,27 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
with lib;
|
{
|
||||||
|
# Only show the current user's processes in /proc.
|
||||||
|
# Users with group 'proc' can still access all processes.
|
||||||
|
security.hideProcessInformation = true;
|
||||||
|
|
||||||
let
|
# This mitigates a systemd security issue leaking (sub)process
|
||||||
inherit (config) nix-bitcoin-services;
|
# command lines.
|
||||||
dataDir = "/var/lib/dbus-hardening";
|
# Only allow root to retrieve systemd unit information like
|
||||||
# Mitigates a security issue that allows unprivileged users to read
|
# cgroup paths (i.e. (sub)process command lines) via D-Bus.
|
||||||
# other unprivileged user's processes' credentials from CGroup using
|
# This D-Bus call is used by `systemctl status`.
|
||||||
# `systemctl status`.
|
services.dbus.packages = [ (pkgs.writeTextDir "etc/dbus-1/system.d/dbus.conf" ''
|
||||||
dbus-hardening = pkgs.writeText "dbus.conf" ''
|
|
||||||
<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->
|
<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->
|
||||||
|
|
||||||
<!DOCTYPE busconfig PUBLIC
|
<!DOCTYPE busconfig PUBLIC
|
||||||
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
|
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
|
||||||
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
|
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
|
||||||
|
|
||||||
<busconfig>
|
|
||||||
<policy user="root">
|
|
||||||
<allow send_destination="org.freedesktop.systemd1"
|
|
||||||
send_interface="org.freedesktop.systemd1.Manager"
|
|
||||||
send_member="GetUnitProcesses"/>
|
|
||||||
</policy>
|
|
||||||
|
|
||||||
<policy context="mandatory">
|
<policy context="mandatory">
|
||||||
<deny send_destination="org.freedesktop.systemd1"
|
<deny send_destination="org.freedesktop.systemd1"
|
||||||
send_interface="org.freedesktop.systemd1.Manager"
|
send_interface="org.freedesktop.systemd1.Manager"
|
||||||
send_member="GetUnitProcesses"/>
|
send_member="GetUnitProcesses"/>
|
||||||
</policy>
|
</policy>
|
||||||
</busconfig>
|
</busconfig>
|
||||||
'';
|
'') ];
|
||||||
in {
|
|
||||||
config = {
|
|
||||||
systemd.tmpfiles.rules = [
|
|
||||||
"d '${dataDir}/etc/dbus-1/system.d' 0770 messagebus messagebus - -"
|
|
||||||
];
|
|
||||||
|
|
||||||
services.dbus.packages = [ "${dataDir}" ];
|
|
||||||
|
|
||||||
systemd.services.hardeneddbus = {
|
|
||||||
description = "Install hardeneddbus";
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
script = ''
|
|
||||||
cp ${dbus-hardening} ${dataDir}/etc/dbus-1/system.d/dbus.conf
|
|
||||||
chmod 640 ${dataDir}/etc/dbus-1/system.d/dbus.conf
|
|
||||||
'';
|
|
||||||
serviceConfig = nix-bitcoin-services.defaultHardening // {
|
|
||||||
PrivateNetwork = "true";
|
|
||||||
Type = "oneshot";
|
|
||||||
User = "messagebus";
|
|
||||||
ReadWritePaths = "${dataDir}";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user