movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-25 18:46:32 +03:00
Code Activity

yggdrasil: reenable DynamicUser

Browse source 
Since version 0.4 Yggdrasil works again using systemd's DynamicUser option.
This patch reenables it to improve security.

We tested this with both persistent and non-persistent keys. Everything
seems to work fine.
This commit is contained in:
oaksoaj 2022-07-02 16:34:59 +02:00 committed by ehmry
parent e4d49de45a
commit 080774e28f
1 changed files with 6 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

29
nixos/modules/services/networking/yggdrasil.nix
View file

@ -60,13 +60,6 @@ in {
''; '';
}; };
group = mkOption {
type = types.str;
default = "root";
example = "wheel";
description = "Group to grant access to the Yggdrasil control socket.";
};
openMulticastPort = mkOption { openMulticastPort = mkOption {
type = bool; type = bool;
default = false; default = false;
@ -154,27 +147,17 @@ in {
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
Restart = "always"; Restart = "always";
Group = cfg.group; User = "yggdrasil";
DynamicUser = true;
StateDirectory = "yggdrasil";
RuntimeDirectory = "yggdrasil"; RuntimeDirectory = "yggdrasil";
RuntimeDirectoryMode = "0750"; RuntimeDirectoryMode = "0750";
BindReadOnlyPaths = lib.optional configFileProvided cfg.configFile BindReadOnlyPaths = lib.optional configFileProvided cfg.configFile
++ lib.optional cfg.persistentKeys keysPath; ++ lib.optional cfg.persistentKeys keysPath;
ReadWritePaths = "/run/yggdrasil";
# TODO: as of yggdrasil 0.3.8 and systemd 243, yggdrasil fails AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
# to set up the network adapter when DynamicUser is set. See CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
# github.com/yggdrasil-network/yggdrasil-go/issues/557. The
# following options are implied by DynamicUser according to
# the systemd.exec documentation, and can be removed if the
# upstream issue is fixed and DynamicUser is set to true:
PrivateTmp = true;
RemoveIPC = true;
NoNewPrivileges = true;
ProtectSystem = "strict";
RestrictSUIDSGID = true;
# End of list of options implied by DynamicUser.
AmbientCapabilities = "CAP_NET_ADMIN";
CapabilityBoundingSet = "CAP_NET_ADMIN";
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
ProtectControlGroups = true; ProtectControlGroups = true;
ProtectHome = "tmpfs"; ProtectHome = "tmpfs";