From 11cf6ab0ddc050de98715d4b9353d9ac12f8c9cd Mon Sep 17 00:00:00 2001 From: 360ied <19516527+360ied@users.noreply.github.com> Date: Fri, 2 Feb 2024 09:34:43 -0500 Subject: [PATCH] nixos/murmur: systemd service hardening Murmur provides an official systemd service file in their repo, which contains various service hardening settings: https://github.com/mumble-voip/mumble/blob/c4b5858d141f76cce553be2f74dfc4291989fc9b/auxiliary_files/config_files/mumble-server.service.in#L7 The service configuration in nixpkgs does not include these hardening settings. This commit adds the hardening settings to the murmur service in nixpkgs. This drops the `systemd-analyze security` score of murmur.service from 9.2 (UNSAFE) to 2.1 (OK). --- nixos/modules/services/networking/murmur.nix | 23 ++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/nixos/modules/services/networking/murmur.nix b/nixos/modules/services/networking/murmur.nix index 0cd80e134ace..5805f332a66f 100644 --- a/nixos/modules/services/networking/murmur.nix +++ b/nixos/modules/services/networking/murmur.nix @@ -326,6 +326,29 @@ in RuntimeDirectoryMode = "0700"; User = "murmur"; Group = "murmur"; + + # service hardening + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + CapabilityBoundingSet = "CAP_NET_BIND_SERVICE"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "full"; + RestrictAddressFamilies = "~AF_PACKET AF_NETLINK"; + RestrictNamespaces = true; + RestrictSUIDSGID = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; }; };