security: enable full systemd-status for group 'proc'

Previously, systemd-status was broken for all users except root. Use a 'default' deny policy, which is overridden for group 'proc'. Add operator to group 'proc'. Also, remove redundant XML boilerplate.
2020-08-20 13:11:08 +02:00 · 2020-08-20 13:11:08 +02:00 · 588a0b2405
parent 96ea2e671c
commit 588a0b2405
3 changed files with 25 additions and 16 deletions
--- a/modules/presets/secure-node.nix
+++ b/modules/presets/secure-node.nix
@ -227,6 +227,7 @@ in {
      isNormalUser = true;
      extraGroups = [
          "systemd-journal"
+          "proc" # Enable full /proc access and systemd-status
          cfg.bitcoind.group
        ]
        ++ (optionals cfg.clightning.enable [ "clightning" ])
--- a/modules/security.nix
+++ b/modules/security.nix
@ -7,21 +7,27 @@

  # This mitigates a systemd security issue leaking (sub)process
  # command lines.
-  # Only allow root to retrieve systemd unit information like
+  # Only allow users with group 'proc' to retrieve systemd unit information like
  # cgroup paths (i.e. (sub)process command lines) via D-Bus.
  # This D-Bus call is used by `systemctl status`.
-  services.dbus.packages = [ (pkgs.writeTextDir "etc/dbus-1/system.d/dbus.conf" ''
-    <?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->
-
-    <!DOCTYPE busconfig PUBLIC
-     "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
-     "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
-
-      <policy context="mandatory">
-        <deny send_destination="org.freedesktop.systemd1"
-          send_interface="org.freedesktop.systemd1.Manager"
-          send_member="GetUnitProcesses"/>
-      </policy>
-    </busconfig>
-  '') ];
+  services.dbus.packages = lib.mkAfter [ # Apply at the end to override the default policy
+    (pkgs.writeTextDir "etc/dbus-1/system.d/dbus.conf" ''
+      <busconfig>
+        <policy context="default">
+          <deny
+            send_destination="org.freedesktop.systemd1"
+            send_interface="org.freedesktop.systemd1.Manager"
+            send_member="GetUnitProcesses"
+          />
+        </policy>
+        <policy group="proc">
+          <allow
+            send_destination="org.freedesktop.systemd1"
+            send_interface="org.freedesktop.systemd1.Manager"
+            send_member="GetUnitProcesses"
+          />
+        </policy>
+      </busconfig>
+    '')
+  ];
 }
--- a/test/scenarios/lib.py
+++ b/test/scenarios/lib.py
@ -103,11 +103,13 @@ def run_tests(extra_tests):
    machine.wait_until_succeeds(log_has_string("bitcoind-import-banlist", "Importing node banlist"))
    assert_no_failure("bitcoind-import-banlist")

-    # test that `systemctl status` can't leak credentials
+    # `systemctl status` run by unprivileged users shouldn't leak cgroup info
    assert_matches(
        "sudo -u electrs systemctl status clightning 2>&1 >/dev/null",
        "Failed to dump process list for 'clightning.service', ignoring: Access denied",
    )
+    # The 'operator' with group 'proc' has full access
+    assert_full_match("sudo -u operator systemctl status clightning 2>&1 >/dev/null", "")
    machine.succeed("grep -Fq hidepid=2 /proc/mounts")

    ### Additional tests