Merge #213: Fix systemd leak

6a8e29e016 tests: add dbus-hardening and hideProcessInformation (nixbitcoin)
0248e6493f systemd: lock down systemctl status (nixbitcoin)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 6a8e29e016

Tree-SHA512: 1ee8ce42f71e1a8977f5a84053b10f5f7f56da395d4f801447d2d344540640fc496ef0ff341cb32ca92ac064d43d04f118bf580c42d31022e6ed84815b8f72c6
This commit is contained in:
Jonas Nick 2020-07-28 12:58:01 +00:00
commit 272b8568e7
No known key found for this signature in database
GPG Key ID: 4861DBF262123605
5 changed files with 73 additions and 0 deletions

55
modules/dbus.nix Normal file
View File

@ -0,0 +1,55 @@
{ config, lib, pkgs, ... }:
with lib;
let
inherit (config) nix-bitcoin-services;
dataDir = "/var/lib/dbus-hardening";
# Mitigates a security issue that allows unprivileged users to read
# other unprivileged user's processes' credentials from CGroup using
# `systemctl status`.
dbus-hardening = pkgs.writeText "dbus.conf" ''
<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->
<!DOCTYPE busconfig PUBLIC
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<policy user="root">
<allow send_destination="org.freedesktop.systemd1"
send_interface="org.freedesktop.systemd1.Manager"
send_member="GetUnitProcesses"/>
</policy>
<policy context="mandatory">
<deny send_destination="org.freedesktop.systemd1"
send_interface="org.freedesktop.systemd1.Manager"
send_member="GetUnitProcesses"/>
</policy>
</busconfig>
'';
in {
config = {
systemd.tmpfiles.rules = [
"d '${dataDir}/etc/dbus-1/system.d' 0770 messagebus messagebus - -"
];
services.dbus.packages = [ "${dataDir}" ];
systemd.services.hardeneddbus = {
description = "Install hardeneddbus";
wantedBy = [ "multi-user.target" ];
script = ''
cp ${dbus-hardening} ${dataDir}/etc/dbus-1/system.d/dbus.conf
chmod 640 ${dataDir}/etc/dbus-1/system.d/dbus.conf
'';
serviceConfig = nix-bitcoin-services.defaultHardening // {
PrivateNetwork = "true";
Type = "oneshot";
User = "messagebus";
ReadWritePaths = "${dataDir}";
};
};
};
}

View File

@ -15,6 +15,7 @@
./lnd.nix ./lnd.nix
./secrets/secrets.nix ./secrets/secrets.nix
./netns-isolation.nix ./netns-isolation.nix
./dbus.nix
]; ];
disabledModules = [ "services/networking/bitcoind.nix" ]; disabledModules = [ "services/networking/bitcoind.nix" ];

View File

@ -42,6 +42,9 @@ in {
networking.firewall.enable = true; networking.firewall.enable = true;
# hideProcessInformation even if hardened kernel profile is disabled
security.hideProcessInformation = true;
# Tor # Tor
services.tor = { services.tor = {
enable = true; enable = true;

View File

@ -51,6 +51,13 @@ assert_matches("curl -L localhost/store", "tshirt")
machine.wait_until_succeeds(log_has_string("bitcoind-import-banlist", "Importing node banlist")) machine.wait_until_succeeds(log_has_string("bitcoind-import-banlist", "Importing node banlist"))
assert_no_failure("bitcoind-import-banlist") assert_no_failure("bitcoind-import-banlist")
# test that `systemctl status` can't leak credentials
assert_matches(
"sudo -u electrs systemctl status clightning 2>&1 >/dev/null",
"Failed to dump process list for 'clightning.service', ignoring: Access denied",
)
machine.succeed("grep -Fq hidepid=2 /proc/mounts")
### Additional tests ### Additional tests
# Current time in µs # Current time in µs

View File

@ -113,6 +113,13 @@ assert_matches_exactly(
# test that netns-exec can not be executed by users that are not operator # test that netns-exec can not be executed by users that are not operator
machine.fail("sudo -u clightning netns-exec nb-bitcoind ip a") machine.fail("sudo -u clightning netns-exec nb-bitcoind ip a")
# test that `systemctl status` can't leak credentials
assert_matches(
"sudo -u electrs systemctl status clightning 2>&1 >/dev/null",
"Failed to dump process list for 'clightning.service', ignoring: Access denied",
)
machine.succeed("grep -Fq hidepid=2 /proc/mounts")
### Additional tests ### Additional tests
# Current time in µs # Current time in µs