Commit Graph

1697 Commits

Author SHA1 Message Date
Erik Arvstedt
588a0b2405
security: enable full systemd-status for group 'proc'
Previously, systemd-status was broken for all users except root.

Use a 'default' deny policy, which is overridden for group 'proc'.

Add operator to group 'proc'.

Also, remove redundant XML boilerplate.
2020-08-20 13:12:06 +02:00
Erik Arvstedt
96ea2e671c
security: simplify and fix dbus configuration
Previously, due to the dependency on a helper service, this dbus config
was initially inactive after system boot, allowing for unrestricted use
of the problematic dbus call.
This also broke the accompanying VM test on faster systems.

Remove 'allow' policy for root because it's a no-op:
1. It's overridden by the 'mandatory' deny policy.
2. Root can use all dbus calls anyways, regardless of policy settings.

Also, add some comments.
2020-08-20 13:12:06 +02:00
Erik Arvstedt
343e026030
rename dbus.nix -> security.nix
This file has a broader scope than just configuring dbus.
2020-08-20 13:12:06 +02:00
Erik Arvstedt
7367446761
test: rename assert_matches_exactly -> assert_full_match
More precise, needed in a later commit.
2020-08-20 13:12:05 +02:00
Jonas Nick
dd78d2b2a1
Add --dry-run option to push-release script 2020-08-18 08:36:19 +00:00
Jonas Nick
72000b4a99
Merge #200: backups: add module
22c3fd52e1 backups: add feature test (nixbitcoin)
e4fb7a52de backups: add module (nixbitcoin)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 22c3fd52e1

Tree-SHA512: 625c1fe4f12ea881b5adb04e07187eae60451402462cd3032b2f741b3f23ee73ea68b98aeb8cfd9206890e8227229cb4ab0cdb5f7935f34fc33fc50dc5df26c9
2020-08-04 15:38:44 +00:00
nixbitcoin
22c3fd52e1
backups: add feature test 2020-08-04 15:25:39 +00:00
nixbitcoin
e4fb7a52de
backups: add module 2020-08-04 15:25:37 +00:00
Jonas Nick
62f83a71b8
Merge #218: Fix typos
df89ceed39 Fix typos (practicalswift)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK df89ceed39

Tree-SHA512: 8cd04469dd0c46259790f00f380a840c22f10424c2504a7667e70cfdb03f30801e34f3c53aeffc9259a971484d4a12f1dbe5ceade493c8559e8c00ec011e7c73
2020-08-04 15:13:09 +00:00
Jonas Nick
3f53d7da40
Merge #217: Concurrent LN
e650df30d5 bitcoind: bump rpcthread count (nixbitcoin)
46e15ee9cc tests: make lnd & clightning tests run concurrently (nixbitcoin)
ac96fd59db assertions: make lnd.enable depend on !clightning.enable or port != 9735 (nixbitcoin)
3ed564ea06 lnd: make listen IP address only (nixbitcoin)
716e98789c lnd: add listenPort option (nixbitcoin)
43da15557d clightning: refactor bind-addr to be IP address only (nixbitcoin)
d99ccc8445 clightning: add bindport option (nixbitcoin)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK e650df30d5

Tree-SHA512: 5c8c2cdd41cd57c60fc91d5752190b7ff905041b09cda32d60d1790960321a86ea5e9e1f7b4519198bcb28372034f86362778d1b960369a23d24c29d0c2ecccf
2020-08-04 15:10:07 +00:00
nixbitcoin
e650df30d5
bitcoind: bump rpcthread count 2020-08-04 14:46:57 +00:00
nixbitcoin
46e15ee9cc
tests: make lnd & clightning tests run concurrently 2020-08-04 14:07:12 +00:00
nixbitcoin
ac96fd59db
assertions: make lnd.enable depend on !clightning.enable or port != 9735 2020-08-04 14:07:10 +00:00
nixbitcoin
3ed564ea06
lnd: make listen IP address only 2020-08-04 14:07:08 +00:00
nixbitcoin
716e98789c
lnd: add listenPort option 2020-08-04 14:07:06 +00:00
nixbitcoin
43da15557d
clightning: refactor bind-addr to be IP address only
With typecheck
2020-08-04 14:07:02 +00:00
practicalswift
df89ceed39 Fix typos 2020-08-04 13:32:06 +00:00
nixbitcoin
d99ccc8445
clightning: add bindport option 2020-08-04 12:42:57 +00:00
Jonas Nick
b6179639fe
Merge #215: Improve abstraction in test scenarios
4ece2da8db tests: move nginx check in scenarios lib (Jonas Nick)
5c0170c6b8 tests: add post-clightning extra tests to scenarios (Jonas Nick)
5fa0602a18 tests: add extra_tests argument to scenario lib run_tests() (Jonas Nick)
6f9349b0a4 tests: create run_tests() function in the scenario lib (Jonas Nick)
3d2b366156 tests: move common code in tests to lib (Jonas Nick)
e13c532dbf tests: move common code of scenarios python scripts to the top (Jonas Nick)

Pull request description:

ACKs for top commit:
  nixbitcoin:
    ACK 4ece2da8db

Tree-SHA512: 72893ff186915dd1b1439f2a81bc75d3618f89ee21f1229448cabaced6ca10c244705a74e9f4e6f8825691df9cd351a6dc9e142ec87ecab8ee17a17e78c72292
2020-08-04 12:42:16 +00:00
Jonas Nick
4ece2da8db
tests: move nginx check in scenarios lib 2020-08-04 12:17:47 +00:00
Jonas Nick
5c0170c6b8
tests: add post-clightning extra tests to scenarios 2020-08-04 12:17:47 +00:00
Jonas Nick
5fa0602a18
tests: add extra_tests argument to scenario lib run_tests() 2020-08-04 12:17:47 +00:00
Jonas Nick
6f9349b0a4
tests: create run_tests() function in the scenario lib 2020-08-02 21:20:51 +00:00
Jonas Nick
3d2b366156
tests: move common code in tests to lib 2020-08-02 21:12:45 +00:00
Jonas Nick
e13c532dbf
tests: move common code of scenarios python scripts to the top 2020-08-02 20:59:11 +00:00
Jonas Nick
0baeb2acce
Merge #209: Lightning loop
e9204946d4 lightning-loop: add tests (nixbitcoin)
491d83a658 lightning-loop: add module (nixbitcoin)
8f3588b13f lnd: higher attempt limit for less-powerful machines (nixbitcoin)
1bb801ad7b lightning-loop: add pkg (nixbitcoin)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK e9204946d4

Tree-SHA512: cc8bb85978350dd530c3c8d2c9aca5ddc4ab1f72cdd27d031bb303eca1d9473f18e45bc119c62bb2991faa32b3e1d42e4439f02a56ab3a6b975b0bd491195604
2020-07-28 20:02:12 +00:00
Jonas Nick
9e453bab86
Merge #202: RPC Whitelist
5086fc3234 bitcoin: drive-by prune fix (nixbitcoin)
21c0fb440d rpcwhitelist: add feature test (nixbitcoin)
1bf45a9547 bitcoind: add rpcwhitelist feature (nixbitcoin)
5a978a2836 bitcoind: switch from rpcpassword to rpcauth (nixbitcoin)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 5086fc3234

Tree-SHA512: f456f3409b3bc22dc9ad1296fa00f7e8a442b4072cd4deda067bf2f951eb7d4302283b816ebf769abaa7017e26b19b734f66604cd435d99b810ce535735f7c08
2020-07-28 17:38:07 +00:00
nixbitcoin
e9204946d4
lightning-loop: add tests 2020-07-28 15:55:54 +00:00
nixbitcoin
491d83a658
lightning-loop: add module 2020-07-28 15:55:52 +00:00
nixbitcoin
8f3588b13f
lnd: higher attempt limit for less-powerful machines
Opening main database sometimes takes longer than 50 ExecStartPost
restPort connection attempts.
2020-07-28 15:55:50 +00:00
nixbitcoin
1bb801ad7b
lightning-loop: add pkg 2020-07-28 15:55:48 +00:00
nixbitcoin
5086fc3234
bitcoin: drive-by prune fix 2020-07-28 14:32:54 +00:00
nixbitcoin
21c0fb440d
rpcwhitelist: add feature test 2020-07-28 14:32:52 +00:00
nixbitcoin
1bf45a9547
bitcoind: add rpcwhitelist feature
Default behavior for rpc whitelisting is set to 0, which means that
rpcwhitelisting is only enforced for rpc users for whom an `rpcwhitelist`
exists.
2020-07-28 14:32:50 +00:00
nixbitcoin
5a978a2836
bitcoind: switch from rpcpassword to rpcauth
Includes bitcoind's `share/rpcauth` to convert apg generated passwords
into salted HMAC-SHA-256 hashed passwords.
2020-07-28 14:32:47 +00:00
Jonas Nick
272b8568e7
Merge #213: Fix systemd leak
6a8e29e016 tests: add dbus-hardening and hideProcessInformation (nixbitcoin)
0248e6493f systemd: lock down systemctl status (nixbitcoin)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 6a8e29e016

Tree-SHA512: 1ee8ce42f71e1a8977f5a84053b10f5f7f56da395d4f801447d2d344540640fc496ef0ff341cb32ca92ac064d43d04f118bf580c42d31022e6ed84815b8f72c6
2020-07-28 12:58:07 +00:00
nixbitcoin
6a8e29e016
tests: add dbus-hardening and hideProcessInformation 2020-07-28 11:37:16 +00:00
nixbitcoin
0248e6493f
systemd: lock down systemctl status
Mitigates a security issue that allows unprivileged users to read other
unprivileged user's processes' credentials from CGroup using `systemctl
status`.
2020-07-28 11:28:09 +00:00
Jonas Nick
6e694890eb
Merge #203: Remove electrs tls
6365412312 test-script: remove nginx tls proxy test (nixbitcoin)
4dbc348921 electrs: remove TLSProxy (nixbitcoin)

Pull request description:

Top commit has no ACKs.

Tree-SHA512: 079a0c892f8e25d6ba0267cc99022550f4cfe74bad3f9270733ecda09350595a11aec8d40b89df6e6ad7cca1e26b7e480a265bf6e2d01d0fe912ca3ece00f655
2020-07-21 15:04:22 +00:00
nixbitcoin
6365412312
test-script: remove nginx tls proxy test 2020-07-21 13:58:32 +00:00
nixbitcoin
4dbc348921
electrs: remove TLSProxy
https://github.com/spesmilo/electrum/issues/5278 was resolved
2020-07-21 13:41:03 +00:00
Jonas Nick
6856b8cb42
Merge #210: bitcoind: postStart wait until bitcoind can receive rpc calls
02853067a1 bitcoind: postStart wait until bitcoind can receive rpc calls (nixbitcoin)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 02853067a1

Tree-SHA512: 601b04957a26853c04d768b074006f0716edb131698afde2afb94cb0c862dddb745b93ef39ed014f95a01545eb60d370fd82201d0a898c7dac4c19622d25dafe
2020-07-21 13:26:51 +00:00
nixbitcoin
02853067a1
bitcoind: postStart wait until bitcoind can receive rpc calls 2020-07-21 13:23:07 +00:00
Jonas Nick
aad0fe6e45
Merge #187: Network Namespaces
681728294b tests: run scenarios as multiple Travis jobs (nixbitcoin)
43ce847e2b tests: allow running integration tests with different configurations (nixbitcoin)
8783f38fba tests: add netns to testing framework (nixbitcoin)
25adce29e5 secure-node: only mkHiddenServices if services are enabled (nixbitcoin)
c542b92e55 nginx: add netns (nixbitcoin)
ef89607704 recurring-donations: add netns (nixbitcoin)
582cb86d74 nanopos: add netns (nixbitcoin)
7369f0a7ec lightning-charge: add netns (nixbitcoin)
c4ab73d51f spark-wallet: add netns (nixbitcoin)
d6296acaba electrs: add netns (nixbitcoin)
c0b02ac93a liquid: add netns cli script (nixbitcoin)
672a416ede liquidd: add netns (nixbitcoin)
4b8ca52647 lnd: add netns cli script (nixbitcoin)
c55296433d lnd: add netns (nixbitcoin)
f3d2aaa5d4 lnd: prepare for netns and bring in line with clightning (nixbitcoin)
3c0c446547 clightning: add netns (nixbitcoin)
ae1230e13b clightning: remove bitcoin-rpcuser option (nixbitcoin)
65b5dab3d4 clightning: add announce-tor (nixbitcoin)
515aae2825 bitcoind: add netns and nonetns cli scripts (nixbitcoin)
75ca6f186c bitcoind: add netns (nixbitcoin)
e5e07b91f7 netns-isolation: netns architecture (nixbitcoin)
4a7199a3da netns-exec: add c program to execute commands in netns (Jonas Nick)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 681728294b

Tree-SHA512: 53083067dd94bfb38d06e9b7f0d2deaeb1b95067dc0c6e50d07073405ff5270de54fa56761e861d23eb0f0a9457f0e1e2c46ed71d732c0cfbaa09b6d425e0691
2020-07-21 12:05:50 +00:00
nixbitcoin
681728294b
tests: run scenarios as multiple Travis jobs 2020-07-21 09:39:01 +00:00
nixbitcoin
43ce847e2b
tests: allow running integration tests with different configurations 2020-07-21 09:38:59 +00:00
nixbitcoin
8783f38fba
tests: add netns to testing framework 2020-07-21 09:38:57 +00:00
nixbitcoin
25adce29e5
secure-node: only mkHiddenServices if services are enabled 2020-07-21 09:38:55 +00:00
nixbitcoin
c542b92e55
nginx: add netns
- Adds nginx to netns-isolation.services
- Adds host option (defaults to localhost) as target of hidden service
2020-07-21 09:38:53 +00:00
nixbitcoin
ef89607704
recurring-donations: add netns
- Adds recurring-donations to netns-isolation.services
- Adds cfg.enforceTor to bring recurring-donations in line with other
  services
- Removes torsocks dependency in favor of `curl --socks-hostname`
2020-07-21 09:38:51 +00:00