From 08fe9ba84ae6b1394679194aa0a98996823cf32a Mon Sep 17 00:00:00 2001
From: Erik Arvstedt <erik.arvstedt@gmail.com>
Date: Mon, 22 Mar 2021 13:19:46 +0100
Subject: [PATCH] services: add finer-grained address family restrictions

Due to a possible NixOS bug, this commit has no effect on NixOS 20.09
where `RestrictAddressFamilies` is a no-op.
It's only relevant for NixOS unstable with cgroups v2.

bitcoind+zmq: instead of allowing all address families, only add the required
AF_NETLINK family.

lnd: lnd only runs a zmq client, not a server, therefore it requires
no additional address families.

lightning-pool, clightning-plugin-zmq: add AF_NETLINK.
---
 modules/bitcoind.nix               | 4 +++-
 modules/clightning-plugins/zmq.nix | 6 ++++++
 modules/lightning-pool.nix         | 3 ++-
 modules/lnd.nix                    | 3 +--
 pkgs/lib.nix                       | 4 ++++
 5 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix
index 6633f40..9a2a79b 100644
--- a/modules/bitcoind.nix
+++ b/modules/bitcoind.nix
@@ -55,6 +55,8 @@ let
     # Extra options
     ${cfg.extraConfig}
   '';
+
+  zmqServerEnabled = (cfg.zmqpubrawblock != null) || (cfg.zmqpubrawtx != null);
 in {
   options = {
     services.bitcoind = {
@@ -358,7 +360,7 @@ in {
         UMask = mkIf cfg.dataDirReadableByGroup "0027";
         ReadWritePaths = cfg.dataDir;
       } // nbLib.allowedIPAddresses cfg.enforceTor
-        // optionalAttrs (cfg.zmqpubrawblock != null || cfg.zmqpubrawtx != null) nbLib.allowAnyProtocol;
+        // optionalAttrs zmqServerEnabled nbLib.allowNetlink;
     };
 
     # Use this to update the banlist:
diff --git a/modules/clightning-plugins/zmq.nix b/modules/clightning-plugins/zmq.nix
index 19eacf4..5ba2ece 100644
--- a/modules/clightning-plugins/zmq.nix
+++ b/modules/clightning-plugins/zmq.nix
@@ -4,6 +4,8 @@ with lib;
 let
   cfg = config.services.clightning.plugins.zmq;
 
+  nbLib = config.nix-bitcoin.lib;
+
   endpoints = [
     "channel-opened"
     "connect"
@@ -38,5 +40,9 @@ in
       plugin=${config.nix-bitcoin.pkgs.clightning-plugins.zmq.path}
       ${concatStrings (map setEndpoint endpoints)}
     '';
+
+    # The zmq server requires AF_NETLINK
+    systemd.services.clightning.serviceConfig.RestrictAddressFamilies =
+      mkForce nbLib.allowNetlink.RestrictAddressFamilies;
   };
 }
diff --git a/modules/lightning-pool.nix b/modules/lightning-pool.nix
index 89dcfec..7736d0a 100644
--- a/modules/lightning-pool.nix
+++ b/modules/lightning-pool.nix
@@ -100,7 +100,8 @@ in {
         Restart = "on-failure";
         RestartSec = "10s";
         ReadWritePaths = cfg.dataDir;
-      } // (nbLib.allowedIPAddresses cfg.enforceTor);
+      } // (nbLib.allowedIPAddresses cfg.enforceTor)
+        // nbLib.allowNetlink; # required by gRPC-Go
     };
   };
 }
diff --git a/modules/lnd.nix b/modules/lnd.nix
index be59675..8093bc9 100644
--- a/modules/lnd.nix
+++ b/modules/lnd.nix
@@ -262,8 +262,7 @@ in {
             '') (attrNames cfg.macaroons)}
           '')
         ];
-      } // nbLib.allowedIPAddresses cfg.enforceTor
-        // nbLib.allowAnyProtocol;  # For ZMQ
+      } // nbLib.allowedIPAddresses cfg.enforceTor;
     };
 
     users.users.${cfg.user} = {
diff --git a/pkgs/lib.nix b/pkgs/lib.nix
index bf29b68..e42b641 100644
--- a/pkgs/lib.nix
+++ b/pkgs/lib.nix
@@ -33,6 +33,10 @@ let self = {
       SystemCallArchitectures = "native";
   };
 
+  allowNetlink = {
+    RestrictAddressFamilies = self.defaultHardening.RestrictAddressFamilies + " AF_NETLINK";
+  };
+
   # nodejs applications apparently rely on memory write execute
   nodejs = { MemoryDenyWriteExecute = "false"; };