Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 2755df8657bd
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 55746e0a4b61
Choose a head ref
  • 2 commits
  • 1 file changed
  • 2 contributors

Commits on Oct 21, 2020

  1. nixos/babeld: lock down service 

    → Overall exposure level for babeld.service: 2.2 OK 🙂
    @mweinelt
    mweinelt committed Oct 21, 2020

    Unverified

    This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
    Learn about vigilant mode
    Copy the full SHA
    c821e0d View commit details

Commits on Oct 29, 2020

  1. Merge pull request #98187 from mweinelt/nixos/babeld 

    nixos/babeld: lock down service
    @mweinelt
    mweinelt authored Oct 29, 2020

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    GPG key ID: 4AEE18F83AFDEB23
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    55746e0 View commit details
Showing with 31 additions and 3 deletions.
  1. +31 −3 nixos/modules/services/networking/babeld.nix
34 changes: 31 additions & 3 deletions nixos/modules/services/networking/babeld.nix
View file
Original file line number Diff line number Diff line change
@@ -87,9 +87,37 @@ in
description = "Babel routing daemon";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = "${pkgs.babeld}/bin/babeld -c ${configFile}";
serviceConfig = {
ExecStart = "${pkgs.babeld}/bin/babeld -c ${configFile} -I /run/babeld/babeld.pid -S /var/lib/babeld/state";
CapabilityBoundingSet = [ "CAP_NET_ADMIN" ];
IPAddressAllow = [ "fe80::/64" "ff00::/8" "::1/128" "127.0.0.0/8" ];
IPAddressDeny = "any";
LockPersonality = true;
NoNewPrivileges = true;
MemoryDenyWriteExecute = true;
ProtectSystem = "strict";
ProtectClock = true;
ProtectKernelTunables = false; # Couldn't write sysctl: Read-only file system
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET6" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RemoveIPC = true;
ProtectHome = true;
ProtectHostname = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateDevices = true;
PrivateUsers = false; # kernel_route(ADD): Operation not permitted
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" ];
UMask = "0177";
RuntimeDirectory = "babeld";
StateDirectory = "babeld";
};
};

};

}