Merge pull request #321987 from thiagokokada/rtorrent-add-hardening

nixos/rtorrent: add systemd hardening configuration

nixos/modules/services/torrent/rtorrent.nix

@@ -8,6 +8,8 @@ let
   opt = options.services.rtorrent;
 
 in {
+  meta.maintainers = with lib.maintainers; [ thiagokokada ];
+
   options.services.rtorrent = {
     enable = mkEnableOption "rtorrent";
 
@@ -202,7 +204,31 @@ in {
             ExecStartPre=''${pkgs.bash}/bin/bash -c "if test -e ${cfg.dataDir}/session/rtorrent.lock && test -z $(${pkgs.procps}/bin/pidof rtorrent); then rm -f ${cfg.dataDir}/session/rtorrent.lock; fi"'';
             ExecStart="${cfg.package}/bin/rtorrent -n -o system.daemon.set=true -o import=${rtorrentConfigFile}";
             RuntimeDirectory = "rtorrent";
-            RuntimeDirectoryMode = 755;
+            RuntimeDirectoryMode = 750;
+
+            CapabilityBoundingSet = [ "" ];
+            LockPersonality = true;
+            NoNewPrivileges = true;
+            PrivateDevices = true;
+            PrivateTmp = true;
+            ProtectClock = true;
+            ProtectControlGroups = true;
+            # If the default user is changed, there is a good chance that they
+            # want to store data in e.g.: $HOME directory
+            # Relax hardening in this case
+            ProtectHome = lib.mkIf (cfg.user == "rtorrent") true;
+            ProtectHostname = true;
+            ProtectKernelLogs = true;
+            ProtectKernelModules = true;
+            ProtectKernelTunables = true;
+            ProtectProc = "invisible";
+            ProtectSystem = "full";
+            RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
+            RestrictNamespaces = true;
+            RestrictRealtime = true;
+            RestrictSUIDSGID = true;
+            SystemCallArchitectures = "native";
+            SystemCallFilter = [ "@system-service" "~@privileged" ];
           };
         };
       };

nixos/tests/all-tests.nix

@@ -824,6 +824,7 @@ in {
   rstudio-server = handleTest ./rstudio-server.nix {};
   rsyncd = handleTest ./rsyncd.nix {};
   rsyslogd = handleTest ./rsyslogd.nix {};
+  rtorrent = handleTest ./rtorrent.nix {};
   rxe = handleTest ./rxe.nix {};
   sabnzbd = handleTest ./sabnzbd.nix {};
   samba = handleTest ./samba.nix {};

nixos/tests/rtorrent.nix

@@ -0,0 +1,25 @@
+import ./make-test-python.nix ({ pkgs, ... }:
+let
+  port = 50001;
+in
+{
+  name = "rtorrent";
+  meta = {
+    maintainers = with pkgs.lib.maintainers; [ thiagokokada ];
+  };
+
+  nodes.machine = { pkgs, ... }: {
+    services.rtorrent = {
+      inherit port;
+      enable = true;
+    };
+  };
+
+  testScript = /* python */ ''
+    machine.start()
+    machine.wait_for_unit("rtorrent.service")
+    machine.wait_for_open_port(${toString port})
+
+    machine.succeed("nc -z localhost ${toString port}")
+  '';
+})

pkgs/applications/networking/p2p/rakshasa-rtorrent/default.nix

@@ -13,9 +13,10 @@
 , pkg-config
 , xmlrpc_c
 , zlib
+, nixosTests
 }:
 
-stdenv.mkDerivation rec {
+stdenv.mkDerivation {
   pname = "rakshasa-rtorrent";
   version = "0.9.8+date=2022-06-20";
 
@@ -53,6 +54,10 @@ stdenv.mkDerivation rec {
     "--with-posix-fallocate"
   ];
 
+  passthru.tests = {
+    inherit (nixosTests) rtorrent;
+  };
+
   enableParallelBuilding = true;
 
   postInstall = ''