services: add finer-grained address family restrictions

Due to a possible NixOS bug, this commit has no effect on NixOS 20.09
where `RestrictAddressFamilies` is a no-op.
It's only relevant for NixOS unstable with cgroups v2.

bitcoind+zmq: instead of allowing all address families, only add the required
AF_NETLINK family.

lnd: lnd only runs a zmq client, not a server, therefore it requires
no additional address families.

lightning-pool, clightning-plugin-zmq: add AF_NETLINK.
This commit is contained in:
Erik Arvstedt 2021-03-22 13:19:46 +01:00
parent 020433cec6
commit 08fe9ba84a
No known key found for this signature in database
GPG Key ID: 33312B944DD97846
5 changed files with 16 additions and 4 deletions

View File

@ -55,6 +55,8 @@ let
# Extra options # Extra options
${cfg.extraConfig} ${cfg.extraConfig}
''; '';
zmqServerEnabled = (cfg.zmqpubrawblock != null) || (cfg.zmqpubrawtx != null);
in { in {
options = { options = {
services.bitcoind = { services.bitcoind = {
@ -358,7 +360,7 @@ in {
UMask = mkIf cfg.dataDirReadableByGroup "0027"; UMask = mkIf cfg.dataDirReadableByGroup "0027";
ReadWritePaths = cfg.dataDir; ReadWritePaths = cfg.dataDir;
} // nbLib.allowedIPAddresses cfg.enforceTor } // nbLib.allowedIPAddresses cfg.enforceTor
// optionalAttrs (cfg.zmqpubrawblock != null || cfg.zmqpubrawtx != null) nbLib.allowAnyProtocol; // optionalAttrs zmqServerEnabled nbLib.allowNetlink;
}; };
# Use this to update the banlist: # Use this to update the banlist:

View File

@ -4,6 +4,8 @@ with lib;
let let
cfg = config.services.clightning.plugins.zmq; cfg = config.services.clightning.plugins.zmq;
nbLib = config.nix-bitcoin.lib;
endpoints = [ endpoints = [
"channel-opened" "channel-opened"
"connect" "connect"
@ -38,5 +40,9 @@ in
plugin=${config.nix-bitcoin.pkgs.clightning-plugins.zmq.path} plugin=${config.nix-bitcoin.pkgs.clightning-plugins.zmq.path}
${concatStrings (map setEndpoint endpoints)} ${concatStrings (map setEndpoint endpoints)}
''; '';
# The zmq server requires AF_NETLINK
systemd.services.clightning.serviceConfig.RestrictAddressFamilies =
mkForce nbLib.allowNetlink.RestrictAddressFamilies;
}; };
} }

View File

@ -100,7 +100,8 @@ in {
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
ReadWritePaths = cfg.dataDir; ReadWritePaths = cfg.dataDir;
} // (nbLib.allowedIPAddresses cfg.enforceTor); } // (nbLib.allowedIPAddresses cfg.enforceTor)
// nbLib.allowNetlink; # required by gRPC-Go
}; };
}; };
} }

View File

@ -262,8 +262,7 @@ in {
'') (attrNames cfg.macaroons)} '') (attrNames cfg.macaroons)}
'') '')
]; ];
} // nbLib.allowedIPAddresses cfg.enforceTor } // nbLib.allowedIPAddresses cfg.enforceTor;
// nbLib.allowAnyProtocol; # For ZMQ
}; };
users.users.${cfg.user} = { users.users.${cfg.user} = {

View File

@ -33,6 +33,10 @@ let self = {
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
}; };
allowNetlink = {
RestrictAddressFamilies = self.defaultHardening.RestrictAddressFamilies + " AF_NETLINK";
};
# nodejs applications apparently rely on memory write execute # nodejs applications apparently rely on memory write execute
nodejs = { MemoryDenyWriteExecute = "false"; }; nodejs = { MemoryDenyWriteExecute = "false"; };