security: update /proc restriction mechanism
NixOS option `security.hideProcessInformation` for globally restricting access to /proc has been removed. Use per-service restrictions via 'ProtectProc' instead. Rename `nix-bitcoin.security.hideProcessInformation` to `nix-bitcoin.security.dbusHideProcessInformation` because this option now only implements the dbus restriction.
This commit is contained in:
parent
178a0dcf8f
commit
35fe939cf8
@ -18,7 +18,7 @@ in {
|
||||
|
||||
networking.firewall.enable = true;
|
||||
|
||||
nix-bitcoin.security.hideProcessInformation = true;
|
||||
nix-bitcoin.security.dbusHideProcessInformation = true;
|
||||
|
||||
# Use doas instead of sudo
|
||||
security.doas.enable = true;
|
||||
|
@ -1,20 +1,29 @@
|
||||
{ config, lib, pkgs, options, ... }:
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
{
|
||||
options = {
|
||||
nix-bitcoin.security.hideProcessInformation = options.security.hideProcessInformation;
|
||||
nix-bitcoin.security.dbusHideProcessInformation = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Only allow users with group 'proc' to retrieve systemd unit information like
|
||||
cgroup paths (i.e. (sub)process command lines) via D-Bus.
|
||||
|
||||
This mitigates a systemd security issue where (sub)process command lines can
|
||||
be retrieved by services even when their access to /proc is restricted
|
||||
(via ProtectProc).
|
||||
|
||||
This option works by restricting the D-Bus method 'GetUnitProcesses', which
|
||||
is also used internally by `systemctl status`.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf config.nix-bitcoin.security.hideProcessInformation {
|
||||
# Only show the current user's processes in /proc.
|
||||
# Users with group 'proc' can still access all processes.
|
||||
security.hideProcessInformation = true;
|
||||
config = mkIf config.nix-bitcoin.security.dbusHideProcessInformation {
|
||||
users.groups.proc = {};
|
||||
nix-bitcoin.operator.groups = [ "proc" ]; # Enable operator access to systemd-status
|
||||
|
||||
# This mitigates a systemd security issue leaking (sub)process
|
||||
# command lines.
|
||||
# Only allow users with group 'proc' to retrieve systemd unit information like
|
||||
# cgroup paths (i.e. (sub)process command lines) via D-Bus.
|
||||
# This D-Bus call is used by `systemctl status`.
|
||||
services.dbus.packages = lib.mkAfter [ # Apply at the end to override the default policy
|
||||
(pkgs.writeTextDir "etc/dbus-1/system.d/dbus.conf" ''
|
||||
<busconfig>
|
||||
|
@ -17,9 +17,8 @@ let self = {
|
||||
ProtectKernelModules = "true";
|
||||
ProtectKernelLogs = "true";
|
||||
ProtectClock = "true";
|
||||
# Test and enable these when systemd v247 is available
|
||||
# ProtectProc = "invisible";
|
||||
# ProcSubset = "pid";
|
||||
ProtectProc = "invisible";
|
||||
ProcSubset = "pid";
|
||||
ProtectControlGroups = "true";
|
||||
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
|
||||
RestrictNamespaces = "true";
|
||||
|
@ -85,9 +85,6 @@ def _():
|
||||
succeed('[[ $(stat -c "%U:%G %a" /secrets/dummy) = "root:root 440" ]]')
|
||||
|
||||
if "secure-node" in enabled_tests:
|
||||
# Access to '/proc' should be restricted
|
||||
machine.succeed("grep -Fq hidepid=2 /proc/mounts")
|
||||
|
||||
machine.wait_for_unit("bitcoind")
|
||||
# `systemctl status` run by unprivileged users shouldn't leak cgroup info
|
||||
assert_matches(
|
||||
@ -97,7 +94,6 @@ def _():
|
||||
# The 'operator' with group 'proc' has full access
|
||||
assert_full_match("runuser -u operator -- systemctl status bitcoind 2>&1 >/dev/null", "")
|
||||
|
||||
|
||||
@test("bitcoind")
|
||||
def _():
|
||||
assert_running("bitcoind")
|
||||
|
Loading…
Reference in New Issue
Block a user