From 110b3af97a8524161cd90e7a2aa5f2c269e4268c Mon Sep 17 00:00:00 2001 From: Defelo Date: Thu, 6 Mar 2025 02:00:59 +0100 Subject: [PATCH 1/2] nixos/tests/echoip: use runTest --- nixos/tests/all-tests.nix | 2 +- nixos/tests/echoip.nix | 47 +++++++++++++++++++-------------------- 2 files changed, 24 insertions(+), 25 deletions(-) diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 809440bfbf97..06411420a5dc 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -341,7 +341,7 @@ in { early-mount-options = handleTest ./early-mount-options.nix {}; ec2-config = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-config or {}; ec2-nixops = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-nixops or {}; - echoip = handleTest ./echoip.nix {}; + echoip = runTest ./echoip.nix; ecryptfs = handleTest ./ecryptfs.nix {}; fscrypt = handleTest ./fscrypt.nix {}; fastnetmon-advanced = runTest ./fastnetmon-advanced.nix; diff --git a/nixos/tests/echoip.nix b/nixos/tests/echoip.nix index 036018b26438..0e7747d713c1 100644 --- a/nixos/tests/echoip.nix +++ b/nixos/tests/echoip.nix @@ -1,29 +1,28 @@ -import ./make-test-python.nix ( - { lib, ... }: - { - name = "echoip"; - meta.maintainers = with lib.maintainers; [ defelo ]; +{ lib, ... }: - nodes.machine = { - services.echoip = { - enable = true; - virtualHost = "echoip.local"; - }; +{ + name = "echoip"; + meta.maintainers = with lib.maintainers; [ defelo ]; - networking.hosts = { - "127.0.0.1" = [ "echoip.local" ]; - "::1" = [ "echoip.local" ]; - }; + nodes.machine = { + services.echoip = { + enable = true; + virtualHost = "echoip.local"; }; - testScript = '' - machine.wait_for_unit("echoip.service") - machine.wait_for_open_port(8080) + networking.hosts = { + "127.0.0.1" = [ "echoip.local" ]; + "::1" = [ "echoip.local" ]; + }; + }; - resp = machine.succeed("curl -4 http://echoip.local/ip") - assert resp.strip() == "127.0.0.1" - resp = machine.succeed("curl -6 http://echoip.local/ip") - assert resp.strip() == "::1" - ''; - } -) + testScript = '' + machine.wait_for_unit("echoip.service") + machine.wait_for_open_port(8080) + + resp = machine.succeed("curl -4 http://echoip.local/ip") + assert resp.strip() == "127.0.0.1" + resp = machine.succeed("curl -6 http://echoip.local/ip") + assert resp.strip() == "::1" + ''; +} From eccf6388229ab41dec9b97244fe0432490cbc4cb Mon Sep 17 00:00:00 2001 From: Defelo Date: Thu, 6 Mar 2025 02:01:23 +0100 Subject: [PATCH 2/2] nixos/echoip: improve systemd hardening --- nixos/modules/services/web-apps/echoip.nix | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/nixos/modules/services/web-apps/echoip.nix b/nixos/modules/services/web-apps/echoip.nix index 4bfba2ae138a..369ff35f4978 100644 --- a/nixos/modules/services/web-apps/echoip.nix +++ b/nixos/modules/services/web-apps/echoip.nix @@ -75,9 +75,12 @@ in ); # Hardening + AmbientCapabilities = ""; CapabilityBoundingSet = [ "" ]; - DeviceAllow = [ "" ]; + DevicePolicy = "closed"; LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; PrivateDevices = true; PrivateTmp = true; PrivateUsers = true; @@ -91,15 +94,19 @@ in ProtectKernelTunables = true; ProtectProc = "invisible"; ProtectSystem = "strict"; - RestrictAddressFamilies = [ - "AF_INET" - "AF_INET6" - "AF_UNIX" - ]; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET AF_INET6 AF_UNIX" ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "~@resources" + "setrlimit" + ]; + UMask = "0077"; }; };