From 0248e6493f5f62fb66a53132480a4812f4e7be9c Mon Sep 17 00:00:00 2001
From: nixbitcoin <nixbitcoin@i2pmail.org>
Date: Mon, 27 Jul 2020 17:26:45 +0000
Subject: [PATCH] systemd: lock down systemctl status

Mitigates a security issue that allows unprivileged users to read other
unprivileged user's processes' credentials from CGroup using `systemctl
status`.
---
 modules/dbus.nix                | 55 +++++++++++++++++++++++++++++++++
 modules/modules.nix             |  1 +
 modules/presets/secure-node.nix |  3 ++
 3 files changed, 59 insertions(+)
 create mode 100644 modules/dbus.nix

diff --git a/modules/dbus.nix b/modules/dbus.nix
new file mode 100644
index 0000000..000b0ff
--- /dev/null
+++ b/modules/dbus.nix
@@ -0,0 +1,55 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  inherit (config) nix-bitcoin-services;
+  dataDir = "/var/lib/dbus-hardening";
+  # Mitigates a security issue that allows unprivileged users to read
+  # other unprivileged user's processes' credentials from CGroup using
+  # `systemctl status`.
+  dbus-hardening = pkgs.writeText "dbus.conf" ''
+    <?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->
+
+    <!DOCTYPE busconfig PUBLIC
+     "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+     "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+
+    <busconfig>
+      <policy user="root">
+        <allow send_destination="org.freedesktop.systemd1"
+          send_interface="org.freedesktop.systemd1.Manager"
+          send_member="GetUnitProcesses"/>
+      </policy>
+
+      <policy context="mandatory">
+        <deny send_destination="org.freedesktop.systemd1"
+          send_interface="org.freedesktop.systemd1.Manager"
+          send_member="GetUnitProcesses"/>
+      </policy>
+    </busconfig>
+  '';
+in {
+  config = {
+    systemd.tmpfiles.rules = [
+      "d '${dataDir}/etc/dbus-1/system.d' 0770 messagebus messagebus - -"
+    ];
+
+    services.dbus.packages = [ "${dataDir}" ];
+
+    systemd.services.hardeneddbus = {
+      description = "Install hardeneddbus";
+      wantedBy = [ "multi-user.target" ];
+      script = ''
+        cp ${dbus-hardening} ${dataDir}/etc/dbus-1/system.d/dbus.conf
+        chmod 640 ${dataDir}/etc/dbus-1/system.d/dbus.conf
+      '';
+      serviceConfig = nix-bitcoin-services.defaultHardening // {
+        PrivateNetwork = "true";
+        Type = "oneshot";
+        User = "messagebus";
+        ReadWritePaths = "${dataDir}";
+      };
+    };
+  };
+}
diff --git a/modules/modules.nix b/modules/modules.nix
index 6eb1d04..dd6d936 100644
--- a/modules/modules.nix
+++ b/modules/modules.nix
@@ -15,6 +15,7 @@
     ./lnd.nix
     ./secrets/secrets.nix
     ./netns-isolation.nix
+    ./dbus.nix
   ];
 
   disabledModules = [ "services/networking/bitcoind.nix" ];
diff --git a/modules/presets/secure-node.nix b/modules/presets/secure-node.nix
index 7d5cfe3..2789f69 100644
--- a/modules/presets/secure-node.nix
+++ b/modules/presets/secure-node.nix
@@ -42,6 +42,9 @@ in {
 
     networking.firewall.enable = true;
 
+    # hideProcessInformation even if hardened kernel profile is disabled
+    security.hideProcessInformation = true;
+
     # Tor
     services.tor = {
       enable = true;