nixos/echoip: improve systemd hardening (#387466)

2025-07-13 13:40:28 +03:00 · 2025-03-19 19:00:27 +01:00 · 2025-03-19 19:00:27 +01:00 · 1289c91409
commit 1289c91409
parent 86f44b004d eccf638822
3 changed files with 37 additions and 31 deletions
--- a/nixos/modules/services/web-apps/echoip.nix
+++ b/nixos/modules/services/web-apps/echoip.nix
@ -75,9 +75,12 @@ in
        );

        # Hardening
+        AmbientCapabilities = "";
        CapabilityBoundingSet = [ "" ];
-        DeviceAllow = [ "" ];
+        DevicePolicy = "closed";
        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
        PrivateDevices = true;
        PrivateTmp = true;
        PrivateUsers = true;
@ -91,15 +94,19 @@ in
        ProtectKernelTunables = true;
        ProtectProc = "invisible";
        ProtectSystem = "strict";
-        RestrictAddressFamilies = [
-          "AF_INET"
-          "AF_INET6"
-          "AF_UNIX"
-        ];
+        RemoveIPC = true;
+        RestrictAddressFamilies = [ "AF_INET AF_INET6 AF_UNIX" ];
        RestrictNamespaces = true;
        RestrictRealtime = true;
        RestrictSUIDSGID = true;
        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged"
+          "~@resources"
+          "setrlimit"
+        ];
+        UMask = "0077";
      };
    };

--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@ -353,7 +353,7 @@ in {
  early-mount-options = handleTest ./early-mount-options.nix {};
  ec2-config = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-config or {};
  ec2-nixops = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-nixops or {};
-  echoip = handleTest ./echoip.nix {};
+  echoip = runTest ./echoip.nix;
  ecryptfs = handleTest ./ecryptfs.nix {};
  fscrypt = handleTest ./fscrypt.nix {};
  fastnetmon-advanced = runTest ./fastnetmon-advanced.nix;
--- a/nixos/tests/echoip.nix
+++ b/nixos/tests/echoip.nix
@ -1,29 +1,28 @@
-import ./make-test-python.nix (
-  { lib, ... }:
-  {
-    name = "echoip";
-    meta.maintainers = with lib.maintainers; [ defelo ];
+{ lib, ... }:

-    nodes.machine = {
-      services.echoip = {
-        enable = true;
-        virtualHost = "echoip.local";
-      };
+{
+  name = "echoip";
+  meta.maintainers = with lib.maintainers; [ defelo ];

-      networking.hosts = {
-        "127.0.0.1" = [ "echoip.local" ];
-        "::1" = [ "echoip.local" ];
-      };
+  nodes.machine = {
+    services.echoip = {
+      enable = true;
+      virtualHost = "echoip.local";
    };

-    testScript = ''
-      machine.wait_for_unit("echoip.service")
-      machine.wait_for_open_port(8080)
+    networking.hosts = {
+      "127.0.0.1" = [ "echoip.local" ];
+      "::1" = [ "echoip.local" ];
+    };
+  };

-      resp = machine.succeed("curl -4 http://echoip.local/ip")
-      assert resp.strip() == "127.0.0.1"
-      resp = machine.succeed("curl -6 http://echoip.local/ip")
-      assert resp.strip() == "::1"
-    '';
-  }
-)
+  testScript = ''
+    machine.wait_for_unit("echoip.service")
+    machine.wait_for_open_port(8080)
+
+    resp = machine.succeed("curl -4 http://echoip.local/ip")
+    assert resp.strip() == "127.0.0.1"
+    resp = machine.succeed("curl -6 http://echoip.local/ip")
+    assert resp.strip() == "::1"
+  '';
+}