security: enable full systemd-status for group 'proc'

Previously, systemd-status was broken for all users except root.

Use a 'default' deny policy, which is overridden for group 'proc'.

Add operator to group 'proc'.

Also, remove redundant XML boilerplate.
This commit is contained in:
Erik Arvstedt 2020-08-20 13:11:08 +02:00
parent 96ea2e671c
commit 588a0b2405
No known key found for this signature in database
GPG Key ID: 33312B944DD97846
3 changed files with 25 additions and 16 deletions

View File

@ -227,6 +227,7 @@ in {
isNormalUser = true; isNormalUser = true;
extraGroups = [ extraGroups = [
"systemd-journal" "systemd-journal"
"proc" # Enable full /proc access and systemd-status
cfg.bitcoind.group cfg.bitcoind.group
] ]
++ (optionals cfg.clightning.enable [ "clightning" ]) ++ (optionals cfg.clightning.enable [ "clightning" ])

View File

@ -7,21 +7,27 @@
# This mitigates a systemd security issue leaking (sub)process # This mitigates a systemd security issue leaking (sub)process
# command lines. # command lines.
# Only allow root to retrieve systemd unit information like # Only allow users with group 'proc' to retrieve systemd unit information like
# cgroup paths (i.e. (sub)process command lines) via D-Bus. # cgroup paths (i.e. (sub)process command lines) via D-Bus.
# This D-Bus call is used by `systemctl status`. # This D-Bus call is used by `systemctl status`.
services.dbus.packages = [ (pkgs.writeTextDir "etc/dbus-1/system.d/dbus.conf" '' services.dbus.packages = lib.mkAfter [ # Apply at the end to override the default policy
<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- --> (pkgs.writeTextDir "etc/dbus-1/system.d/dbus.conf" ''
<busconfig>
<!DOCTYPE busconfig PUBLIC <policy context="default">
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" <deny
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> send_destination="org.freedesktop.systemd1"
<policy context="mandatory">
<deny send_destination="org.freedesktop.systemd1"
send_interface="org.freedesktop.systemd1.Manager" send_interface="org.freedesktop.systemd1.Manager"
send_member="GetUnitProcesses"/> send_member="GetUnitProcesses"
/>
</policy>
<policy group="proc">
<allow
send_destination="org.freedesktop.systemd1"
send_interface="org.freedesktop.systemd1.Manager"
send_member="GetUnitProcesses"
/>
</policy> </policy>
</busconfig> </busconfig>
'') ]; '')
];
} }

View File

@ -103,11 +103,13 @@ def run_tests(extra_tests):
machine.wait_until_succeeds(log_has_string("bitcoind-import-banlist", "Importing node banlist")) machine.wait_until_succeeds(log_has_string("bitcoind-import-banlist", "Importing node banlist"))
assert_no_failure("bitcoind-import-banlist") assert_no_failure("bitcoind-import-banlist")
# test that `systemctl status` can't leak credentials # `systemctl status` run by unprivileged users shouldn't leak cgroup info
assert_matches( assert_matches(
"sudo -u electrs systemctl status clightning 2>&1 >/dev/null", "sudo -u electrs systemctl status clightning 2>&1 >/dev/null",
"Failed to dump process list for 'clightning.service', ignoring: Access denied", "Failed to dump process list for 'clightning.service', ignoring: Access denied",
) )
# The 'operator' with group 'proc' has full access
assert_full_match("sudo -u operator systemctl status clightning 2>&1 >/dev/null", "")
machine.succeed("grep -Fq hidepid=2 /proc/mounts") machine.succeed("grep -Fq hidepid=2 /proc/mounts")
### Additional tests ### Additional tests