Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nixos/babeld: lock down service #98187

Merged
merged 1 commit into from Oct 29, 2020
Merged

nixos/babeld: lock down service #98187

merged 1 commit into from Oct 29, 2020

Conversation

@mweinelt
Copy link
Member

@mweinelt mweinelt commented Sep 17, 2020

Motivation for this change

Tested in production in my private mesh network.

[root@helios:~]# systemd-analyze security babeld
  NAME                                                        DESCRIPTION                                                                    EXPOSURE
✗ PrivateNetwork=                                             Service has access to the host's network                                            0.5
✗ User=/DynamicUser=                                          Service runs as root user                                                           0.4
✓ CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP)                Service cannot change UID/GID identities/capabilities                                  
✓ CapabilityBoundingSet=~CAP_SYS_ADMIN                        Service has no administrator privileges                                                
✓ CapabilityBoundingSet=~CAP_SYS_PTRACE                       Service has no ptrace() debugging abilities                                            
✗ RestrictAddressFamilies=~AF_(INET|INET6)                    Service may allocate Internet sockets                                               0.3
✓ RestrictNamespaces=~CLONE_NEWUSER                           Service cannot create user namespaces                                                  
✓ RestrictAddressFamilies=~…                                  Service cannot allocate exotic sockets                                                 
✓ CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP)           Service cannot change file ownership/access mode/capabilities                          
✓ CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER)         Service cannot override UNIX file/IPC permission checks                                
✗ CapabilityBoundingSet=~CAP_NET_ADMIN                        Service has network configuration privileges                                        0.2
✓ CapabilityBoundingSet=~CAP_SYS_MODULE                       Service cannot load kernel modules                                                     
✓ CapabilityBoundingSet=~CAP_SYS_RAWIO                        Service has no raw I/O access                                                          
✓ CapabilityBoundingSet=~CAP_SYS_TIME                         Service processes cannot change the system clock                                       
✗ DeviceAllow=                                                Service has a device ACL with some special devices                                  0.1
✗ IPAddressDeny=                                              Service defines IP address allow list with non-localhost entries                    0.1
✓ KeyringMode=                                                Service doesn't share key material with other services                                 
✓ NoNewPrivileges=                                            Service processes cannot acquire new privileges                                        
✓ NotifyAccess=                                               Service child processes cannot alter service state                                     
✓ PrivateDevices=                                             Service has no access to hardware devices                                              
✓ PrivateMounts=                                              Service cannot install system mounts                                                   
✓ PrivateTmp=                                                 Service has no access to other software's temporary files                              
✗ PrivateUsers=                                               Service has access to other users                                                   0.2
✓ ProtectClock=                                               Service cannot write to the hardware clock or system clock                             
✓ ProtectControlGroups=                                       Service cannot modify the control group file system                                    
✓ ProtectHome=                                                Service has no access to home directories                                              
✓ ProtectKernelLogs=                                          Service cannot read from or write to the kernel log ring buffer                        
✓ ProtectKernelModules=                                       Service cannot load or read kernel modules                                             
✗ ProtectKernelTunables=                                      Service may alter kernel tunables                                                   0.2
✓ ProtectSystem=                                              Service has strict read-only access to the OS file hierarchy                           
✓ RestrictAddressFamilies=~AF_PACKET                          Service cannot allocate packet sockets                                                 
✓ RestrictSUIDSGID=                                           SUID/SGID file creation by service is restricted                                       
✓ SystemCallArchitectures=                                    Service may execute system calls only with native ABI                                  
✓ SystemCallFilter=~@clock                                    System call allow list defined for service, and @clock is not included                 
✓ SystemCallFilter=~@debug                                    System call allow list defined for service, and @debug is not included                 
✓ SystemCallFilter=~@module                                   System call allow list defined for service, and @module is not included                
✓ SystemCallFilter=~@mount                                    System call allow list defined for service, and @mount is not included                 
✓ SystemCallFilter=~@raw-io                                   System call allow list defined for service, and @raw-io is not included                
✓ SystemCallFilter=~@reboot                                   System call allow list defined for service, and @reboot is not included                
✓ SystemCallFilter=~@swap                                     System call allow list defined for service, and @swap is not included                  
✗ SystemCallFilter=~@privileged                               System call allow list defined for service, and @privileged is included             0.2
✗ SystemCallFilter=~@resources                                System call allow list defined for service, and @resources is included              0.2
✓ AmbientCapabilities=                                        Service process does not receive ambient capabilities                                  
✓ CapabilityBoundingSet=~CAP_AUDIT_*                          Service has no audit subsystem access                                                  
✓ CapabilityBoundingSet=~CAP_KILL                             Service cannot send UNIX signals to arbitrary processes                                
✓ CapabilityBoundingSet=~CAP_MKNOD                            Service cannot create device nodes                                                     
✓ CapabilityBoundingSet=~CAP_NET_(BIND_SERVICE|BROADCAST|RAW) Service has no elevated networking privileges                                          
✓ CapabilityBoundingSet=~CAP_SYSLOG                           Service has no access to kernel logging                                                
✓ CapabilityBoundingSet=~CAP_SYS_(NICE|RESOURCE)              Service has no privileges to change resource use parameters                            
✓ RestrictNamespaces=~CLONE_NEWCGROUP                         Service cannot create cgroup namespaces                                                
✓ RestrictNamespaces=~CLONE_NEWIPC                            Service cannot create IPC namespaces                                                   
✓ RestrictNamespaces=~CLONE_NEWNET                            Service cannot create network namespaces                                               
✓ RestrictNamespaces=~CLONE_NEWNS                             Service cannot create file system namespaces                                           
✓ RestrictNamespaces=~CLONE_NEWPID                            Service cannot create process namespaces                                               
✓ RestrictRealtime=                                           Service realtime scheduling access is restricted                                       
✓ SystemCallFilter=~@cpu-emulation                            System call allow list defined for service, and @cpu-emulation is not included         
✓ SystemCallFilter=~@obsolete                                 System call allow list defined for service, and @obsolete is not included              
✗ RestrictAddressFamilies=~AF_NETLINK                         Service may allocate netlink sockets                                                0.1
✗ RootDirectory=/RootImage=                                   Service runs within the host's root directory                                       0.1
  SupplementaryGroups=                                        Service runs as root, option does not matter                                           
✓ CapabilityBoundingSet=~CAP_MAC_*                            Service cannot adjust SMACK MAC                                                        
✓ CapabilityBoundingSet=~CAP_SYS_BOOT                         Service cannot issue reboot()                                                          
✓ Delegate=                                                   Service does not maintain its own delegated control group subtree                      
✓ LockPersonality=                                            Service cannot change ABI personality                                                  
✓ MemoryDenyWriteExecute=                                     Service cannot create writable executable memory mappings                              
  RemoveIPC=                                                  Service runs as root, option does not apply                                            
✓ RestrictNamespaces=~CLONE_NEWUTS                            Service cannot create hostname namespaces                                              
✓ UMask=                                                      Files created by service are accessible only by service's own user by default          
✓ CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE                  Service cannot mark files immutable                                                    
✓ CapabilityBoundingSet=~CAP_IPC_LOCK                         Service cannot lock memory into RAM                                                    
✓ CapabilityBoundingSet=~CAP_SYS_CHROOT                       Service cannot issue chroot()                                                          
✓ ProtectHostname=                                            Service cannot change system host/domainname                                           
✓ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND                    Service cannot establish wake locks                                                    
✓ CapabilityBoundingSet=~CAP_LEASE                            Service cannot create file leases                                                      
✓ CapabilityBoundingSet=~CAP_SYS_PACCT                        Service cannot use acct()                                                              
✓ CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG                   Service cannot issue vhangup()                                                         
✓ CapabilityBoundingSet=~CAP_WAKE_ALARM                       Service cannot program timers that wake up the system                                  
✓ RestrictAddressFamilies=~AF_UNIX                            Service cannot allocate local sockets                                                  

→ Overall exposure level for babeld.service: 2.2 OK 🙂
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
@mweinelt mweinelt requested a review from andir Sep 17, 2020
@mweinelt
Copy link
Member Author

@mweinelt mweinelt commented Sep 17, 2020

@GrahamcOfBorg test babeld

serviceConfig.ExecStart = "${pkgs.babeld}/bin/babeld -c ${configFile}";
serviceConfig = {
ExecStart = "${pkgs.babeld}/bin/babeld -c ${configFile} -I /run/babeld/babeld.pid -S /var/lib/babeld/state";
DeviceAllow = [ "/dev/null" "/dev/urandom" ];

This comment has been minimized.

@andir

andir Sep 18, 2020
Member

Isn't PrivateDevices enough?

This comment has been minimized.

@mweinelt

mweinelt Sep 18, 2020
Author Member

Isn't this more narrow and thus an improvement?

This comment has been minimized.

@andir

andir Oct 21, 2020
Member

My concern here is that the user is still able to see those devices and we must keep whitelisting them? With PrivateDevices the process would just get a "standard" layout of /dev without us having to care about which devices they try to access as none of them should be able to cause harm.

This comment has been minimized.

@mweinelt

mweinelt Oct 21, 2020
Author Member

Fair enough, I'll drop DeviceAllow completely then.

serviceConfig = {
ExecStart = "${pkgs.babeld}/bin/babeld -c ${configFile} -I /run/babeld/babeld.pid -S /var/lib/babeld/state";
DeviceAllow = [ "/dev/null" "/dev/urandom" ];
CapabilityBoundingSet = [ "CAP_NET_ADMIN" ];

This comment has been minimized.

@andir

andir Sep 18, 2020
Member

Can't we use DynamicUser=true in this case? What other privs does the process need that justify running as root?

This comment has been minimized.

@mweinelt

mweinelt Sep 18, 2020
Author Member

Requires setting sysctls.

This comment has been minimized.

@andir

andir Oct 21, 2020
Member

mhm okay :/

@mweinelt
Copy link
Member Author

@mweinelt mweinelt commented Oct 20, 2020

@andir How do we proceed here?

→ Overall exposure level for babeld.service: 2.2 OK 🙂
@mweinelt mweinelt force-pushed the mweinelt:nixos/babeld branch from 94aba19 to c821e0d Oct 21, 2020
@mweinelt mweinelt merged commit 55746e0 into NixOS:master Oct 29, 2020
16 checks passed
16 checks passed
@github-actions
tests
Details
@github-actions
action
Details
@ofborg
Evaluation Performance Report Evaluator Performance Report
Details
@github-actions
Wait for ofborg
Details
@ofborg
grahamcofborg-eval ^.^!
Details
@ofborg
grahamcofborg-eval-check-meta config.nix: checkMeta = true
Details
@ofborg
grahamcofborg-eval-darwin nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="c821e0d"; rev="c821e0d4be2b4ebc8e1eebca6eb11211a371a43e"; } ./pkgs/t
Details
@ofborg
grahamcofborg-eval-lib-tests nix-build --arg pkgs import ./. {} ./lib/tests/release.nix
Details
@ofborg
grahamcofborg-eval-nixos nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="c821e0d"; rev="c821e0d4be2b4ebc8e1eebca6eb11211a371a43e"; } ./nixos/
Details
@ofborg
grahamcofborg-eval-nixos-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="c821e0d"; rev="c821e0d4be2b4ebc8e1eebca6eb11211a371a43e"; } ./nixos/
Details
@ofborg
grahamcofborg-eval-nixos-options nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="c821e0d"; rev="c821e0d4be2b4ebc8e1eebca6eb11211a371a43e"; } ./nixos/
Details
@ofborg
grahamcofborg-eval-nixpkgs-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="c821e0d"; rev="c821e0d4be2b4ebc8e1eebca6eb11211a371a43e"; } ./pkgs/t
Details
@ofborg
grahamcofborg-eval-nixpkgs-tarball nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="c821e0d"; rev="c821e0d4be2b4ebc8e1eebca6eb11211a371a43e"; } ./pkgs/t
Details
@ofborg
grahamcofborg-eval-nixpkgs-unstable-jobset nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="c821e0d"; rev="c821e0d4be2b4ebc8e1eebca6eb11211a371a43e"; } ./pkgs/t
Details
@ofborg
grahamcofborg-eval-package-list nix-env -qa --json --file .
Details
@ofborg
grahamcofborg-eval-package-list-no-aliases nix-env -qa --json --file . --arg config { allowAliases = false; }
Details
@mweinelt mweinelt deleted the mweinelt:nixos/babeld branch Oct 29, 2020
@mweinelt mweinelt mentioned this pull request Nov 24, 2020
5 of 10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants