nixos/confinement: Explicitly set serviceConfig
My implementation was relying on PrivateDevices, PrivateTmp, PrivateUsers and others to be false by default if chroot-only mode is used. However there is an ongoing effort[1] to change these defaults, which then will actually increase the attack surface in chroot-only mode, because it is expected that there is no /dev, /sys or /proc. If for example PrivateDevices is enabled by default, there suddenly will be a mounted /dev in the chroot and we wouldn't detect it. Fortunately, our tests cover that, but I'm preparing for this anyway so that we have a smoother transition without the need to fix our implementation again. Thanks to @Infinisil for the heads-up. [1]: https://github.com/NixOS/nixpkgs/issues/14645 Signed-off-by: aszlig <aszlig@nix.build>
This commit is contained in:
parent
9e9af4f9c0
commit
d13ad389b4
1 changed files with 20 additions and 8 deletions
|
@ -106,19 +106,31 @@ in {
|
|||
config = let
|
||||
rootName = "${mkPathSafeName name}-chroot";
|
||||
inherit (config.confinement) binSh fullUnit;
|
||||
wantsAPIVFS = lib.mkDefault (config.confinement.mode == "full-apivfs");
|
||||
in lib.mkIf config.confinement.enable {
|
||||
serviceConfig = {
|
||||
RootDirectory = pkgs.runCommand rootName {} "mkdir \"$out\"";
|
||||
TemporaryFileSystem = "/";
|
||||
MountFlags = lib.mkDefault "private";
|
||||
} // lib.optionalAttrs (config.confinement.mode == "full-apivfs") {
|
||||
MountAPIVFS = true;
|
||||
PrivateDevices = true;
|
||||
PrivateTmp = true;
|
||||
PrivateUsers = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
|
||||
# https://github.com/NixOS/nixpkgs/issues/14645 is a future attempt
|
||||
# to change some of these to default to true.
|
||||
#
|
||||
# If we run in chroot-only mode, having something like PrivateDevices
|
||||
# set to true by default will mount /dev within the chroot, whereas
|
||||
# with "chroot-only" it's expected that there are no /dev, /proc and
|
||||
# /sys file systems available.
|
||||
#
|
||||
# However, if this suddenly becomes true, the attack surface will
|
||||
# increase, so let's explicitly set these options to true/false
|
||||
# depending on the mode.
|
||||
MountAPIVFS = wantsAPIVFS;
|
||||
PrivateDevices = wantsAPIVFS;
|
||||
PrivateTmp = wantsAPIVFS;
|
||||
PrivateUsers = wantsAPIVFS;
|
||||
ProtectControlGroups = wantsAPIVFS;
|
||||
ProtectKernelModules = wantsAPIVFS;
|
||||
ProtectKernelTunables = wantsAPIVFS;
|
||||
};
|
||||
confinement.packages = let
|
||||
startOnly = config.serviceConfig.RootDirectoryStartOnly or false;
|
||||
|
|
Loading…
Reference in a new issue