From 8a2439f1c25f659c060033f39492af1867045fd9 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Mon, 14 Oct 2024 04:22:42 +0200 Subject: [PATCH] nixos/avahi-daemon: set up sandboxing --- .../services/networking/avahi-daemon.nix | 41 +++++++++++++++++++ nixos/tests/avahi.nix | 2 + 2 files changed, 43 insertions(+) diff --git a/nixos/modules/services/networking/avahi-daemon.nix b/nixos/modules/services/networking/avahi-daemon.nix index 72ccb910982c..73fc210728d8 100644 --- a/nixos/modules/services/networking/avahi-daemon.nix +++ b/nixos/modules/services/networking/avahi-daemon.nix @@ -317,6 +317,47 @@ in Type = "dbus"; ExecStart = "${cfg.package}/sbin/avahi-daemon --syslog -f ${avahiDaemonConf}"; ConfigurationDirectory = "avahi/services"; + + # Hardening + CapabilityBoundingSet = [ + # https://github.com/avahi/avahi/blob/v0.9-rc1/avahi-daemon/caps.c#L38 + "CAP_SYS_CHROOT" + "CAP_SETUID" + "CAP_SETGID" + ]; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = false; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_NETLINK" + "AF_UNIX" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "@chown setgroups setresuid" + ]; + UMask = "0077"; }; }; diff --git a/nixos/tests/avahi.nix b/nixos/tests/avahi.nix index 4ae2f919f2f7..7a2d4bbd0ffc 100644 --- a/nixos/tests/avahi.nix +++ b/nixos/tests/avahi.nix @@ -75,5 +75,7 @@ import ./make-test-python.nix { one.succeed("test `wc -l < out` -gt 0") two.succeed("avahi-browse -r -t _ssh._tcp | tee out >&2") two.succeed("test `wc -l < out` -gt 0") + + one.log(one.execute("systemd-analyze security avahi-daemon.service | grep -v ✓")[1]) ''; } args