From 96ea2e671ca303d25b74a6e92848de3c929a7906 Mon Sep 17 00:00:00 2001
From: Erik Arvstedt <erik.arvstedt@gmail.com>
Date: Thu, 20 Aug 2020 13:11:07 +0200
Subject: [PATCH] security: simplify and fix dbus configuration

Previously, due to the dependency on a helper service, this dbus config
was initially inactive after system boot, allowing for unrestricted use
of the problematic dbus call.
This also broke the accompanying VM test on faster systems.

Remove 'allow' policy for root because it's a no-op:
1. It's overridden by the 'mandatory' deny policy.
2. Root can use all dbus calls anyways, regardless of policy settings.

Also, add some comments.
---
 modules/security.nix | 50 ++++++++++----------------------------------
 1 file changed, 11 insertions(+), 39 deletions(-)

diff --git a/modules/security.nix b/modules/security.nix
index 000b0ff..89efc66 100644
--- a/modules/security.nix
+++ b/modules/security.nix
@@ -1,55 +1,27 @@
 { config, lib, pkgs, ... }:
 
-with lib;
+{
+  # Only show the current user's processes in /proc.
+  # Users with group 'proc' can still access all processes.
+  security.hideProcessInformation = true;
 
-let
-  inherit (config) nix-bitcoin-services;
-  dataDir = "/var/lib/dbus-hardening";
-  # Mitigates a security issue that allows unprivileged users to read
-  # other unprivileged user's processes' credentials from CGroup using
-  # `systemctl status`.
-  dbus-hardening = pkgs.writeText "dbus.conf" ''
+  # This mitigates a systemd security issue leaking (sub)process
+  # command lines.
+  # Only allow root to retrieve systemd unit information like
+  # cgroup paths (i.e. (sub)process command lines) via D-Bus.
+  # This D-Bus call is used by `systemctl status`.
+  services.dbus.packages = [ (pkgs.writeTextDir "etc/dbus-1/system.d/dbus.conf" ''
     <?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->
 
     <!DOCTYPE busconfig PUBLIC
      "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
      "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
 
-    <busconfig>
-      <policy user="root">
-        <allow send_destination="org.freedesktop.systemd1"
-          send_interface="org.freedesktop.systemd1.Manager"
-          send_member="GetUnitProcesses"/>
-      </policy>
-
       <policy context="mandatory">
         <deny send_destination="org.freedesktop.systemd1"
           send_interface="org.freedesktop.systemd1.Manager"
           send_member="GetUnitProcesses"/>
       </policy>
     </busconfig>
-  '';
-in {
-  config = {
-    systemd.tmpfiles.rules = [
-      "d '${dataDir}/etc/dbus-1/system.d' 0770 messagebus messagebus - -"
-    ];
-
-    services.dbus.packages = [ "${dataDir}" ];
-
-    systemd.services.hardeneddbus = {
-      description = "Install hardeneddbus";
-      wantedBy = [ "multi-user.target" ];
-      script = ''
-        cp ${dbus-hardening} ${dataDir}/etc/dbus-1/system.d/dbus.conf
-        chmod 640 ${dataDir}/etc/dbus-1/system.d/dbus.conf
-      '';
-      serviceConfig = nix-bitcoin-services.defaultHardening // {
-        PrivateNetwork = "true";
-        Type = "oneshot";
-        User = "messagebus";
-        ReadWritePaths = "${dataDir}";
-      };
-    };
-  };
+  '') ];
 }