0248e6493f
Mitigates a security issue that allows unprivileged users to read other unprivileged user's processes' credentials from CGroup using `systemctl status`.
56 lines
1.7 KiB
Nix
56 lines
1.7 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
inherit (config) nix-bitcoin-services;
|
|
dataDir = "/var/lib/dbus-hardening";
|
|
# Mitigates a security issue that allows unprivileged users to read
|
|
# other unprivileged user's processes' credentials from CGroup using
|
|
# `systemctl status`.
|
|
dbus-hardening = pkgs.writeText "dbus.conf" ''
|
|
<?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->
|
|
|
|
<!DOCTYPE busconfig PUBLIC
|
|
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
|
|
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
|
|
|
|
<busconfig>
|
|
<policy user="root">
|
|
<allow send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="GetUnitProcesses"/>
|
|
</policy>
|
|
|
|
<policy context="mandatory">
|
|
<deny send_destination="org.freedesktop.systemd1"
|
|
send_interface="org.freedesktop.systemd1.Manager"
|
|
send_member="GetUnitProcesses"/>
|
|
</policy>
|
|
</busconfig>
|
|
'';
|
|
in {
|
|
config = {
|
|
systemd.tmpfiles.rules = [
|
|
"d '${dataDir}/etc/dbus-1/system.d' 0770 messagebus messagebus - -"
|
|
];
|
|
|
|
services.dbus.packages = [ "${dataDir}" ];
|
|
|
|
systemd.services.hardeneddbus = {
|
|
description = "Install hardeneddbus";
|
|
wantedBy = [ "multi-user.target" ];
|
|
script = ''
|
|
cp ${dbus-hardening} ${dataDir}/etc/dbus-1/system.d/dbus.conf
|
|
chmod 640 ${dataDir}/etc/dbus-1/system.d/dbus.conf
|
|
'';
|
|
serviceConfig = nix-bitcoin-services.defaultHardening // {
|
|
PrivateNetwork = "true";
|
|
Type = "oneshot";
|
|
User = "messagebus";
|
|
ReadWritePaths = "${dataDir}";
|
|
};
|
|
};
|
|
};
|
|
}
|