nix-bitcoin/modules/security.nix

{ config, lib, pkgs, ... }:

{
  # Only show the current user's processes in /proc.
  # Users with group 'proc' can still access all processes.
  security.hideProcessInformation = true;

  # This mitigates a systemd security issue leaking (sub)process
  # command lines.
  # Only allow users with group 'proc' to retrieve systemd unit information like
  # cgroup paths (i.e. (sub)process command lines) via D-Bus.
  # This D-Bus call is used by `systemctl status`.
  services.dbus.packages = lib.mkAfter [ # Apply at the end to override the default policy
    (pkgs.writeTextDir "etc/dbus-1/system.d/dbus.conf" ''
      <busconfig>
        <policy context="default">
          <deny
            send_destination="org.freedesktop.systemd1"
            send_interface="org.freedesktop.systemd1.Manager"
            send_member="GetUnitProcesses"
          />
        </policy>
        <policy group="proc">
          <allow
            send_destination="org.freedesktop.systemd1"
            send_interface="org.freedesktop.systemd1.Manager"
            send_member="GetUnitProcesses"
          />
        </policy>
      </busconfig>
    '')
  ];
}
systemd: lock down systemctl status Mitigates a security issue that allows unprivileged users to read other unprivileged user's processes' credentials from CGroup using `systemctl status`. 2020-07-27 10:26:45 -07:00			`{ config, lib, pkgs, ... }:`

security: simplify and fix dbus configuration Previously, due to the dependency on a helper service, this dbus config was initially inactive after system boot, allowing for unrestricted use of the problematic dbus call. This also broke the accompanying VM test on faster systems. Remove 'allow' policy for root because it's a no-op: 1. It's overridden by the 'mandatory' deny policy. 2. Root can use all dbus calls anyways, regardless of policy settings. Also, add some comments. 2020-08-20 04:11:07 -07:00			`{`
			`# Only show the current user's processes in /proc.`
			`# Users with group 'proc' can still access all processes.`
			`security.hideProcessInformation = true;`
systemd: lock down systemctl status Mitigates a security issue that allows unprivileged users to read other unprivileged user's processes' credentials from CGroup using `systemctl status`. 2020-07-27 10:26:45 -07:00
security: simplify and fix dbus configuration Previously, due to the dependency on a helper service, this dbus config was initially inactive after system boot, allowing for unrestricted use of the problematic dbus call. This also broke the accompanying VM test on faster systems. Remove 'allow' policy for root because it's a no-op: 1. It's overridden by the 'mandatory' deny policy. 2. Root can use all dbus calls anyways, regardless of policy settings. Also, add some comments. 2020-08-20 04:11:07 -07:00			`# This mitigates a systemd security issue leaking (sub)process`
			`# command lines.`
security: enable full systemd-status for group 'proc' Previously, systemd-status was broken for all users except root. Use a 'default' deny policy, which is overridden for group 'proc'. Add operator to group 'proc'. Also, remove redundant XML boilerplate. 2020-08-20 04:11:08 -07:00			`# Only allow users with group 'proc' to retrieve systemd unit information like`
security: simplify and fix dbus configuration Previously, due to the dependency on a helper service, this dbus config was initially inactive after system boot, allowing for unrestricted use of the problematic dbus call. This also broke the accompanying VM test on faster systems. Remove 'allow' policy for root because it's a no-op: 1. It's overridden by the 'mandatory' deny policy. 2. Root can use all dbus calls anyways, regardless of policy settings. Also, add some comments. 2020-08-20 04:11:07 -07:00			`# cgroup paths (i.e. (sub)process command lines) via D-Bus.`
			# This D-Bus call is used by `systemctl status`.
security: enable full systemd-status for group 'proc' Previously, systemd-status was broken for all users except root. Use a 'default' deny policy, which is overridden for group 'proc'. Add operator to group 'proc'. Also, remove redundant XML boilerplate. 2020-08-20 04:11:08 -07:00			`services.dbus.packages = lib.mkAfter [ # Apply at the end to override the default policy`
			`(pkgs.writeTextDir "etc/dbus-1/system.d/dbus.conf" ''`
			`<busconfig>`
			`<policy context="default">`
			`<deny`
			`send_destination="org.freedesktop.systemd1"`
			`send_interface="org.freedesktop.systemd1.Manager"`
			`send_member="GetUnitProcesses"`
			`/>`
			`</policy>`
			`<policy group="proc">`
			`<allow`
			`send_destination="org.freedesktop.systemd1"`
			`send_interface="org.freedesktop.systemd1.Manager"`
			`send_member="GetUnitProcesses"`
			`/>`
			`</policy>`
			`</busconfig>`
			`'')`
			`];`
systemd: lock down systemctl status Mitigates a security issue that allows unprivileged users to read other unprivileged user's processes' credentials from CGroup using `systemctl status`. 2020-07-27 10:26:45 -07:00			`}`