security: simplify and fix dbus configuration

Previously, due to the dependency on a helper service, this dbus config was initially inactive after system boot, allowing for unrestricted use of the problematic dbus call. This also broke the accompanying VM test on faster systems. Remove 'allow' policy for root because it's a no-op: 1. It's overridden by the 'mandatory' deny policy. 2. Root can use all dbus calls anyways, regardless of policy settings. Also, add some comments.
2020-08-20 13:11:07 +02:00 · 2020-08-20 13:11:07 +02:00 · 96ea2e671c
parent 343e026030
commit 96ea2e671c
1 changed files with 11 additions and 39 deletions
--- a/modules/security.nix
+++ b/modules/security.nix
@ -1,55 +1,27 @@
 { config, lib, pkgs, ... }:

-with lib;
+{
+  # Only show the current user's processes in /proc.
+  # Users with group 'proc' can still access all processes.
+  security.hideProcessInformation = true;

-let
-  inherit (config) nix-bitcoin-services;
-  dataDir = "/var/lib/dbus-hardening";
-  # Mitigates a security issue that allows unprivileged users to read
-  # other unprivileged user's processes' credentials from CGroup using
-  # `systemctl status`.
-  dbus-hardening = pkgs.writeText "dbus.conf" ''
+  # This mitigates a systemd security issue leaking (sub)process
+  # command lines.
+  # Only allow root to retrieve systemd unit information like
+  # cgroup paths (i.e. (sub)process command lines) via D-Bus.
+  # This D-Bus call is used by `systemctl status`.
+  services.dbus.packages = [ (pkgs.writeTextDir "etc/dbus-1/system.d/dbus.conf" ''
    <?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->

    <!DOCTYPE busconfig PUBLIC
     "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
     "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">

-    <busconfig>
-      <policy user="root">
-        <allow send_destination="org.freedesktop.systemd1"
-          send_interface="org.freedesktop.systemd1.Manager"
-          send_member="GetUnitProcesses"/>
-      </policy>
-
      <policy context="mandatory">
        <deny send_destination="org.freedesktop.systemd1"
          send_interface="org.freedesktop.systemd1.Manager"
          send_member="GetUnitProcesses"/>
      </policy>
    </busconfig>
-  '';
-in {
-  config = {
-    systemd.tmpfiles.rules = [
-      "d '${dataDir}/etc/dbus-1/system.d' 0770 messagebus messagebus - -"
-    ];
-
-    services.dbus.packages = [ "${dataDir}" ];
-
-    systemd.services.hardeneddbus = {
-      description = "Install hardeneddbus";
-      wantedBy = [ "multi-user.target" ];
-      script = ''
-        cp ${dbus-hardening} ${dataDir}/etc/dbus-1/system.d/dbus.conf
-        chmod 640 ${dataDir}/etc/dbus-1/system.d/dbus.conf
-      '';
-      serviceConfig = nix-bitcoin-services.defaultHardening // {
-        PrivateNetwork = "true";
-        Type = "oneshot";
-        User = "messagebus";
-        ReadWritePaths = "${dataDir}";
-      };
-    };
-  };
+  '') ];
 }