From a040e5285432452af613b4b72a65e852e63c31b6 Mon Sep 17 00:00:00 2001
From: nixbitcoin <nixbitcoin@i2pmail.org>
Date: Tue, 5 May 2020 17:15:16 +0200
Subject: [PATCH] All modules: ProtectSystem = strict

Add ReadWritePaths in all modules, except lnd which has ProtectSystem =
full.
---
 modules/bitcoind.nix             | 2 ++
 modules/clightning.nix           | 1 +
 modules/electrs.nix              | 1 +
 modules/lightning-charge.nix     | 1 +
 modules/liquid.nix               | 1 +
 modules/lnd.nix                  | 1 +
 modules/nix-bitcoin-services.nix | 2 +-
 modules/nix-bitcoin-webindex.nix | 1 +
 modules/onion-chef.nix           | 1 +
 modules/spark-wallet.nix         | 1 +
 10 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix
index 74323cb..6f2dc1c 100644
--- a/modules/bitcoind.nix
+++ b/modules/bitcoind.nix
@@ -286,6 +286,7 @@ in {
         ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'";
         Restart = "on-failure";
         UMask = mkIf cfg.dataDirReadableByGroup "0027";
+        ReadWritePaths = "${cfg.dataDir}";
       } // (if cfg.enforceTor
             then nix-bitcoin-services.allowTor
             else nix-bitcoin-services.allowAnyIP)
@@ -317,6 +318,7 @@ in {
       serviceConfig = nix-bitcoin-services.defaultHardening // {
         User = "${cfg.user}";
         Group = "${cfg.group}";
+        ReadWritePaths = "${cfg.dataDir}";
       } // nix-bitcoin-services.allowTor;
     };
 
diff --git a/modules/clightning.nix b/modules/clightning.nix
index 501b4c9..e513fa9 100644
--- a/modules/clightning.nix
+++ b/modules/clightning.nix
@@ -102,6 +102,7 @@ in {
         User = "clightning";
         Restart = "on-failure";
         RestartSec = "10s";
+        ReadWritePaths = "${cfg.dataDir}";
       } // (if cfg.enforceTor
           then nix-bitcoin-services.allowTor
           else nix-bitcoin-services.allowAnyIP
diff --git a/modules/electrs.nix b/modules/electrs.nix
index 379ea0f..4c2b95f 100644
--- a/modules/electrs.nix
+++ b/modules/electrs.nix
@@ -97,6 +97,7 @@ in {
         Group = cfg.group;
         Restart = "on-failure";
         RestartSec = "10s";
+        ReadWritePaths = "${cfg.dataDir} ${if cfg.high-memory then "${config.services.bitcoind.dataDir}" else ""}";
       } // (if cfg.enforceTor
           then nix-bitcoin-services.allowTor
           else nix-bitcoin-services.allowAnyIP
diff --git a/modules/lightning-charge.nix b/modules/lightning-charge.nix
index aa392ed..d5d1d67 100644
--- a/modules/lightning-charge.nix
+++ b/modules/lightning-charge.nix
@@ -58,6 +58,7 @@ in {
           User = user;
           Restart = "on-failure";
           RestartSec = "10s";
+          ReadWritePaths = "${cfg.dataDir}";
       } // nix-bitcoin-services.nodejs
         // nix-bitcoin-services.allowTor;
     };
diff --git a/modules/liquid.nix b/modules/liquid.nix
index bbd45fb..d943eb2 100644
--- a/modules/liquid.nix
+++ b/modules/liquid.nix
@@ -224,6 +224,7 @@ in {
         ExecStart = "${pkgs.nix-bitcoin.elementsd}/bin/elementsd ${cmdlineOptions}";
         PIDFile = "${pidFile}";
         Restart = "on-failure";
+        ReadWritePaths = "${cfg.dataDir}";
       } // (if cfg.enforceTor
           then nix-bitcoin-services.allowTor
           else nix-bitcoin-services.allowAnyIP
diff --git a/modules/lnd.nix b/modules/lnd.nix
index 8554db6..720dcb9 100644
--- a/modules/lnd.nix
+++ b/modules/lnd.nix
@@ -106,6 +106,7 @@ in {
         User = "lnd";
         Restart = "on-failure";
         RestartSec = "10s";
+        ProtectSystem = "full"; # ToDo: Make more restrictive
       } // (if cfg.enforceTor
           then nix-bitcoin-services.allowTor
           else nix-bitcoin-services.allowAnyIP
diff --git a/modules/nix-bitcoin-services.nix b/modules/nix-bitcoin-services.nix
index dba6dd3..e899bd9 100644
--- a/modules/nix-bitcoin-services.nix
+++ b/modules/nix-bitcoin-services.nix
@@ -7,7 +7,7 @@ with lib;
 {
   defaultHardening = {
       PrivateTmp = "true";
-      ProtectSystem = "full";
+      ProtectSystem = "strict";
       ProtectHome = "true";
       NoNewPrivileges = "true";
       PrivateDevices = "true";
diff --git a/modules/nix-bitcoin-webindex.nix b/modules/nix-bitcoin-webindex.nix
index 7429500..4f756c3 100644
--- a/modules/nix-bitcoin-webindex.nix
+++ b/modules/nix-bitcoin-webindex.nix
@@ -92,6 +92,7 @@ in {
         Restart = "on-failure";
         RestartSec = "10s";
         PrivateNetwork = "true"; # This service needs no network access
+        ReadWritePaths = "/var/www";
         CapabilityBoundingSet = "CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_SYS_ADMIN CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER";
       } // (if cfg.enforceTor
           then nix-bitcoin-services.allowTor
diff --git a/modules/onion-chef.nix b/modules/onion-chef.nix
index 86d035e..dcc4ea2 100644
--- a/modules/onion-chef.nix
+++ b/modules/onion-chef.nix
@@ -81,6 +81,7 @@ in {
         Type = "oneshot";
         RemainAfterExit = true;
         PrivateNetwork = "true"; # This service needs no network access
+        ReadWritePaths = "${dataDir}";
         CapabilityBoundingSet = "CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER";
       };
     };
diff --git a/modules/spark-wallet.nix b/modules/spark-wallet.nix
index f1c3179..a329def 100644
--- a/modules/spark-wallet.nix
+++ b/modules/spark-wallet.nix
@@ -75,6 +75,7 @@ in {
         User = "spark-wallet";
         Restart = "on-failure";
         RestartSec = "10s";
+        ReadWritePaths = "/var/lib/onion-chef";
       } // nix-bitcoin-services.nodejs
         // nix-bitcoin-services.allowTor;
     };