nix-bitcoin/modules/security.nix

{ config, lib, pkgs, ... }:

with lib;

let
  inherit (config) nix-bitcoin-services;
  dataDir = "/var/lib/dbus-hardening";
  # Mitigates a security issue that allows unprivileged users to read
  # other unprivileged user's processes' credentials from CGroup using
  # `systemctl status`.
  dbus-hardening = pkgs.writeText "dbus.conf" ''
    <?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->

    <!DOCTYPE busconfig PUBLIC
     "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
     "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">

    <busconfig>
      <policy user="root">
        <allow send_destination="org.freedesktop.systemd1"
          send_interface="org.freedesktop.systemd1.Manager"
          send_member="GetUnitProcesses"/>
      </policy>

      <policy context="mandatory">
        <deny send_destination="org.freedesktop.systemd1"
          send_interface="org.freedesktop.systemd1.Manager"
          send_member="GetUnitProcesses"/>
      </policy>
    </busconfig>
  '';
in {
  config = {
    systemd.tmpfiles.rules = [
      "d '${dataDir}/etc/dbus-1/system.d' 0770 messagebus messagebus - -"
    ];

    services.dbus.packages = [ "${dataDir}" ];

    systemd.services.hardeneddbus = {
      description = "Install hardeneddbus";
      wantedBy = [ "multi-user.target" ];
      script = ''
        cp ${dbus-hardening} ${dataDir}/etc/dbus-1/system.d/dbus.conf
        chmod 640 ${dataDir}/etc/dbus-1/system.d/dbus.conf
      '';
      serviceConfig = nix-bitcoin-services.defaultHardening // {
        PrivateNetwork = "true";
        Type = "oneshot";
        User = "messagebus";
        ReadWritePaths = "${dataDir}";
      };
    };
  };
}
systemd: lock down systemctl status Mitigates a security issue that allows unprivileged users to read other unprivileged user's processes' credentials from CGroup using `systemctl status`. 2020-07-27 10:26:45 -07:00			`{ config, lib, pkgs, ... }:`

			`with lib;`

			`let`
			`inherit (config) nix-bitcoin-services;`
			`dataDir = "/var/lib/dbus-hardening";`
			`# Mitigates a security issue that allows unprivileged users to read`
			`# other unprivileged user's processes' credentials from CGroup using`
			# `systemctl status`.
			`dbus-hardening = pkgs.writeText "dbus.conf" ''`
			`<?xml version="1.0" encoding="UTF-8"?> <!-- -- XML -- -->`

			`<!DOCTYPE busconfig PUBLIC`
			`"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"`
			`"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">`

			`<busconfig>`
			`<policy user="root">`
			`<allow send_destination="org.freedesktop.systemd1"`
			`send_interface="org.freedesktop.systemd1.Manager"`
			`send_member="GetUnitProcesses"/>`
			`</policy>`

			`<policy context="mandatory">`
			`<deny send_destination="org.freedesktop.systemd1"`
			`send_interface="org.freedesktop.systemd1.Manager"`
			`send_member="GetUnitProcesses"/>`
			`</policy>`
			`</busconfig>`
			`'';`
			`in {`
			`config = {`
			`systemd.tmpfiles.rules = [`
			`"d '${dataDir}/etc/dbus-1/system.d' 0770 messagebus messagebus - -"`
			`];`

			`services.dbus.packages = [ "${dataDir}" ];`

			`systemd.services.hardeneddbus = {`
			`description = "Install hardeneddbus";`
			`wantedBy = [ "multi-user.target" ];`
			`script = ''`
			`cp ${dbus-hardening} ${dataDir}/etc/dbus-1/system.d/dbus.conf`
			`chmod 640 ${dataDir}/etc/dbus-1/system.d/dbus.conf`
			`'';`
			`serviceConfig = nix-bitcoin-services.defaultHardening // {`
			`PrivateNetwork = "true";`
			`Type = "oneshot";`
			`User = "messagebus";`
			`ReadWritePaths = "${dataDir}";`
			`};`
			`};`
			`};`
			`}`