movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-13 21:50:33 +03:00
Code Activity

nixos/echoip: improve systemd hardening (#387466)

Browse source
This commit is contained in:
Sandro 2025-03-19 19:00:27 +01:00 committed by GitHub
commit 1289c91409
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 37 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

19
nixos/modules/services/web-apps/echoip.nix
View file

@ -75,9 +75,12 @@ in
); );
# Hardening # Hardening
AmbientCapabilities = "";
CapabilityBoundingSet = [ "" ]; CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ]; DevicePolicy = "closed";
LockPersonality = true; LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true; PrivateDevices = true;
PrivateTmp = true; PrivateTmp = true;
PrivateUsers = true; PrivateUsers = true;
@ -91,15 +94,19 @@ in
ProtectKernelTunables = true; ProtectKernelTunables = true;
ProtectProc = "invisible"; ProtectProc = "invisible";
ProtectSystem = "strict"; ProtectSystem = "strict";
RestrictAddressFamilies = [ RemoveIPC = true;
"AF_INET" RestrictAddressFamilies = [ "AF_INET AF_INET6 AF_UNIX" ];
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true; RestrictNamespaces = true;
RestrictRealtime = true; RestrictRealtime = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
"~@resources"
"setrlimit"
];
UMask = "0077";
}; };
}; };

2
nixos/tests/all-tests.nix
View file

@ -353,7 +353,7 @@ in {
early-mount-options = handleTest ./early-mount-options.nix {}; early-mount-options = handleTest ./early-mount-options.nix {};
ec2-config = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-config or {}; ec2-config = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-config or {};
ec2-nixops = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-nixops or {}; ec2-nixops = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-nixops or {};
echoip = handleTest ./echoip.nix {}; echoip = runTest ./echoip.nix;
ecryptfs = handleTest ./ecryptfs.nix {}; ecryptfs = handleTest ./ecryptfs.nix {};
fscrypt = handleTest ./fscrypt.nix {}; fscrypt = handleTest ./fscrypt.nix {};
fastnetmon-advanced = runTest ./fastnetmon-advanced.nix; fastnetmon-advanced = runTest ./fastnetmon-advanced.nix;

47
nixos/tests/echoip.nix
View file

@ -1,29 +1,28 @@
import ./make-test-python.nix ( { lib, ... }:
{ lib, ... }:
{
name = "echoip";
meta.maintainers = with lib.maintainers; [ defelo ];
nodes.machine = { {
services.echoip = { name = "echoip";
enable = true; meta.maintainers = with lib.maintainers; [ defelo ];
virtualHost = "echoip.local";
};
networking.hosts = { nodes.machine = {
"127.0.0.1" = [ "echoip.local" ]; services.echoip = {
"::1" = [ "echoip.local" ]; enable = true;
}; virtualHost = "echoip.local";
}; };
testScript = '' networking.hosts = {
machine.wait_for_unit("echoip.service") "127.0.0.1" = [ "echoip.local" ];
machine.wait_for_open_port(8080) "::1" = [ "echoip.local" ];
};
};
resp = machine.succeed("curl -4 http://echoip.local/ip") testScript = ''
assert resp.strip() == "127.0.0.1" machine.wait_for_unit("echoip.service")
resp = machine.succeed("curl -6 http://echoip.local/ip") machine.wait_for_open_port(8080)
assert resp.strip() == "::1"
''; resp = machine.succeed("curl -4 http://echoip.local/ip")
} assert resp.strip() == "127.0.0.1"
) resp = machine.succeed("curl -6 http://echoip.local/ip")
assert resp.strip() == "::1"
'';
}