aviallon/nixos-lib
1
0
Fork 0
mirror of https://github.com/aviallon/nixos-lib.git synced 2026-04-05 17:27:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

[Hardening] remove broken and obsolete dbus hardening

Browse source
This commit is contained in:
Antoine Viallon 2024-03-08 23:15:46 +01:00
parent f3ccaff561
commit 87ab357291
Signed by: aviallon
GPG key ID: 186FC35EDEB25716
1 changed files with 4 additions and 37 deletions
Download patch file Download diff file Expand all files Collapse all files

41
security/hardening.nix
View file

@ -28,20 +28,13 @@ in
type = types.bool;
};
services = {
dbus = mkOption rec {
default = cfg.hardcore;
example = !default;
description = "Enable dbus service hardening";
type = types.bool;
};
};
};
imports = [
(mkRemovedOptionModule [ "aviallon" "hardening" "services" "dbus" ] "dbus should use AppArmor hardening instead")
];
config = mkIf cfg.enable {
# imports = [
# (modulesPath + "/profiles/hardened.nix")
# ];
aviallon.boot.kernel.package = mkIf cfg.hardcore pkgs.linuxKernel.kernels.linux_hardened;
security.lockKernelModules = mkIf cfg.hardcore (mkQuasiForce true);
# security.protectKernelImage = mkIf cfg.hardcore (mkOverride 500 false); # needed for kexec
@ -112,31 +105,5 @@ in
environment.systemPackages = with pkgs; [
sbctl # Secure Boot keys generation
];
systemd.services.dbus.serviceConfig = mkIf cfg.services.dbus {
# Hardening
CapabilityBoundingSet = [ "CAP_SETGID" "CAP_SETUID" "CAP_SETPCAP" "CAP_SYS_RESOURCE" "CAP_AUDIT_WRITE" ];
DeviceAllow = [ "/dev/null rw" "/dev/urandom r" ];
DevicePolicy = "strict";
IPAddressDeny = "any";
LimitMEMLOCK = 0;
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
ReadOnlyPaths = [ "-/" ];
RestrictAddressFamilies = [ "AF_UNIX" ];
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@chown" "~@clock" "~@cpu-emulation" "~@debug" "~@module" "~@mount" "~@obsolete" "~@raw-io" "~@reboot" "~@resources" "~@swap" "~memfd_create" "~mincore" "~mlock" "~mlockall" "~personality" ];
UMask = "0077";
};
};
}