nix-bitcoin/modules/security.nix

{ config, lib, pkgs, ... }:

{
  # Only show the current user's processes in /proc.
  # Users with group 'proc' can still access all processes.
  security.hideProcessInformation = true;

  # This mitigates a systemd security issue leaking (sub)process
  # command lines.
  # Only allow root to retrieve systemd unit information like
  # cgroup paths (i.e. (sub)process command lines) via D-Bus.
  # This D-Bus call is used by `systemctl status`.
  services.dbus.packages = [ (pkgs.writeTextDir "etc/dbus-1/system.d/dbus.conf" ''
    <?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->

    <!DOCTYPE busconfig PUBLIC
     "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
     "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">

      <policy context="mandatory">
        <deny send_destination="org.freedesktop.systemd1"
          send_interface="org.freedesktop.systemd1.Manager"
          send_member="GetUnitProcesses"/>
      </policy>
    </busconfig>
  '') ];
}
systemd: lock down systemctl status Mitigates a security issue that allows unprivileged users to read other unprivileged user's processes' credentials from CGroup using `systemctl status`. 2020-07-27 10:26:45 -07:00			`{ config, lib, pkgs, ... }:`

security: simplify and fix dbus configuration Previously, due to the dependency on a helper service, this dbus config was initially inactive after system boot, allowing for unrestricted use of the problematic dbus call. This also broke the accompanying VM test on faster systems. Remove 'allow' policy for root because it's a no-op: 1. It's overridden by the 'mandatory' deny policy. 2. Root can use all dbus calls anyways, regardless of policy settings. Also, add some comments. 2020-08-20 04:11:07 -07:00			`{`
			`# Only show the current user's processes in /proc.`
			`# Users with group 'proc' can still access all processes.`
			`security.hideProcessInformation = true;`
systemd: lock down systemctl status Mitigates a security issue that allows unprivileged users to read other unprivileged user's processes' credentials from CGroup using `systemctl status`. 2020-07-27 10:26:45 -07:00
security: simplify and fix dbus configuration Previously, due to the dependency on a helper service, this dbus config was initially inactive after system boot, allowing for unrestricted use of the problematic dbus call. This also broke the accompanying VM test on faster systems. Remove 'allow' policy for root because it's a no-op: 1. It's overridden by the 'mandatory' deny policy. 2. Root can use all dbus calls anyways, regardless of policy settings. Also, add some comments. 2020-08-20 04:11:07 -07:00			`# This mitigates a systemd security issue leaking (sub)process`
			`# command lines.`
			`# Only allow root to retrieve systemd unit information like`
			`# cgroup paths (i.e. (sub)process command lines) via D-Bus.`
			# This D-Bus call is used by `systemctl status`.
			`services.dbus.packages = [ (pkgs.writeTextDir "etc/dbus-1/system.d/dbus.conf" ''`
systemd: lock down systemctl status Mitigates a security issue that allows unprivileged users to read other unprivileged user's processes' credentials from CGroup using `systemctl status`. 2020-07-27 10:26:45 -07:00			`<?xml version="1.0" encoding="UTF-8"?> <!-- -- XML -- -->`

			`<!DOCTYPE busconfig PUBLIC`
			`"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"`
			`"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">`

			`<policy context="mandatory">`
			`<deny send_destination="org.freedesktop.systemd1"`
			`send_interface="org.freedesktop.systemd1.Manager"`
			`send_member="GetUnitProcesses"/>`
			`</policy>`
			`</busconfig>`
security: simplify and fix dbus configuration Previously, due to the dependency on a helper service, this dbus config was initially inactive after system boot, allowing for unrestricted use of the problematic dbus call. This also broke the accompanying VM test on faster systems. Remove 'allow' policy for root because it's a no-op: 1. It's overridden by the 'mandatory' deny policy. 2. Root can use all dbus calls anyways, regardless of policy settings. Also, add some comments. 2020-08-20 04:11:07 -07:00			`'') ];`
systemd: lock down systemctl status Mitigates a security issue that allows unprivileged users to read other unprivileged user's processes' credentials from CGroup using `systemctl status`. 2020-07-27 10:26:45 -07:00			`}`