Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nixos/zerotierone: Sandbox the systemd service #64384

Open
wants to merge 1 commit into
base: master
from

Conversation

@gazally
Copy link
Contributor

commented Jul 6, 2019

Motivation for this change

Reducing the number of services that run as root with full privileges.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@@ -44,15 +44,39 @@ in
wantedBy = [ "multi-user.target" ];
preStart = ''
mkdir -p /var/lib/zerotier-one/networks.d
chmod 700 /var/lib/zerotier-one
chown -R root:root /var/lib/zerotier-one

This comment has been minimized.

Copy link
@grahamc

grahamc Jul 6, 2019

Member

Will this break existing installations?

This comment has been minimized.

Copy link
@arianvp

arianvp Jul 6, 2019

Contributor

No. See line 55 and 56

@arianvp

This comment has been minimized.

Copy link
Contributor

commented Jul 6, 2019

@gazally are you aware of the systemd.services.<name>.confinement option in NixOS? Maybe it is of intereset to sandbox it even more

@gazally

This comment has been minimized.

Copy link
Contributor Author

commented Jul 6, 2019

No, it's new to me but it looks useful. I tried it out with mode = "chroot-only" and the service seems to work fine but I get this log message:

Jul 06 10:17:52 sockeye systemd[24556]: Failed to create directory at /nix/store/0nqm27ihpwsd38mahblbrqxi92xy9lgm-zerotierone-chroot/usr: Read-only file system

This is issued before the pre-start script starts.

@arianvp

This comment has been minimized.

Copy link
Contributor

commented Jul 6, 2019

Oh apparently RootDirectory and StateDirectory can not be combined as it will try to add the StateDirectory to the immutable RootDirectory which will fail. So alas :( I'm not sure if this is a bug or desired behaviour.

Edit:
Systemd insists in creating /usr in this read-only root directory before TemporaryFilesystem=/ is bind-mounted. And thus it fails. I have filed a bug for this here: #64392

Anyhow, the error is nonfatal, and just a warning log message. systemd just continues executing everything just fine. It's annoying but shouldn't break anything.

@arianvp

This comment has been minimized.

Copy link
Contributor

commented Jul 6, 2019

@gazally conclusion is that you can ignore that error message. It isn't fatal. I'll see if I can make systemd supress the message in a separate PR.

@gazally gazally force-pushed the gazally:zerotierone branch from dc252b1 to 19b714c Jul 6, 2019

@gazally

This comment has been minimized.

Copy link
Contributor Author

commented Jul 6, 2019

I've pushed a revised version with confinement enabled. It appears that confinement makes ProtectHome and ProtectSystem unnecessary so I removed those. While I was at it I decided to explicitly set to false the systemd settings which disagree with zerotier-one, in case the underlying defaults are changed at some point in the future.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.