New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/jellyfin: add some systemd security options #98176
Conversation
Thanks for tagging me in. This seems like a Very Good Thing™ overall, and I support it, but I'm not familiar enough with the specifics to provide a useful review. |
The options all look reasonable to me and if they have been working then it seems good. This may lead to a little more work to test new versions but that is probably worth it. Especially since we are using the binary release which is a bit more difficult to audit. |
ace6cca
to
4e51247
Compare
LGTM too |
This commit broke playback on my iOS devices. With these options enabled, I always see lines similar to the following in the log when attempting playback from my iPad:
after reverting this commit ffmpeg no longer crashes and playback succeeds. |
Can you try running that command line and getting the ffmpeg output? |
Running the command as the jellyfin user on the command line succeeds. I don't know how to emulate the restricted execution environment of the systemd service when the security options are enabled... |
A simply way would be overriding the ExecStart of the jellyfin service with
the ffmpeg command. The logs will be captured in the journal.
|
Shameless plug: if you need a shell inside the "sandbox" to test things out, I wrote a piece on the wiki on how to do it 🙂 |
@xwvvvvwx are you able to test this out? |
Hey sorry spaced out on this. I just tested with the The unit and error output are here: https://gist.github.com/xwvvvvwx/17c45ce3c43d64c53eeeecaea8113c6a What's weird is that if I comment out all the security options and run |
From the error that you have, it seems to me that we should add How are you testing this exactly? Are you using a hand-placed service file? You can use |
I am testing with a service placed in Adding
|
Can you try adding |
Same error:
|
Pure speculation here, but looking at the |
So, I've had some time to try and reproduce the error. Here is the script I have to try to get in your situation: Script#!/bin/sh
systemd-run \
--pty \
\
-p BindReadOnlyPaths=/home/minijackson/Videos \
-p ProtectHome=tmpfs \
\
-p NoNewPrivileges=true \
-p DeviceAllow="char-drm rw" \
-p AmbientCapabilities= \
-p CapabilityBoundingSet= \
-p LockPersonality=true \
\
-p PrivateTmp=true \
-p PrivateUsers=true \
\
-p ProtectClock=true \
-p ProtectControlGroups=true \
-p ProtectHostname=true \
-p ProtectKernelLogs=true \
-p ProtectKernelModules=true \
-p ProtectKernelTunables=true \
\
-p RemoveIPC=true \
\
-p RestrictNamespaces=true \
-p RestrictAddressFamilies="AF_NETLINK AF_INET AF_INET6" \
-p RestrictRealtime=true \
-p RestrictSUIDSGID=true \
\
-p SystemCallArchitectures=native \
-p SystemCallErrorNumber=EPERM \
-p SystemCallFilter="@system-service" \
-p SystemCallFilter="~@chown" \
-p SystemCallFilter="~@cpu-emulation" \
-p SystemCallFilter="~@debug" \
-p SystemCallFilter="~@keyring" \
-p SystemCallFilter="~@memlock" \
-p SystemCallFilter="~@module" \
-p SystemCallFilter="~@obsolete" \
-p SystemCallFilter="~@privileged" \
-p SystemCallFilter="~@setuid" \
ffmpeg \
-hwaccel vaapi -hwaccel_output_format vaapi -vaapi_device /dev/dri/renderD128 \
-i file:/home/minijackson/Videos/$RANDOM_VIDEO_FILE_I_HAVE_ON_MY_COMPUTER.mkv \
-map_metadata -1 -map_chapters -1 \
-threads 0 -map 0:0 -map 0:1 -codec:v:0 h264_vaapi \
-b:v 639378 -maxrate 639378 -bufsize 1278756 -profile:v high -level 41 -force_key_frames:0 "expr:gte(t,0+n_forced*3)" -g 72 -keyint_min 72 -sc_threshold 0 \
-vf "format=nv12|vaapi,hwupload,scale_vaapi=w=638:h=266:format=nv12" \
-start_at_zero -vsync -1 -codec:a:0 libmp3lame -ac 2 -ab 160622 -copyts -avoid_negative_ts disabled -f hls -max_delay 5000000 -hls_time 3 -individual_header_trailer 0 -hls_segment_type mpegts -start_number 0 -hls_playlist_type vod -hls_list_size 0 -y \
/tmp/thing.m3u8
Some things to note:
@xwvvvvwx Can you tell me if this script is also working for you? I have missed it in my previous message, but it seems your last error comes from a missing symbol, can you check if you have access to the libraries from inside the unit, and if they do contain the symbol ffmpeg is looking for? |
issue mentioned in NixOS#98176
Motivation for this change
I was reading through the changes introduced in transmission by #92106, and I kinda drank the Kool-Aid and thought that the Jellyfin module (among others) needed some systemd security options.
I have been using jellyfin with most of these options for a few days now, without noticing too much.
All in all, this brings the score of
systemd-analyze security jellyfin
from 9.2, all the way down to 1.6 🎉To harden even more, we could:
ProtectHome = true
ProtectSystem = "strict"
RootDirectory
and ask the end user to provide us with paths to whitelist, and use them inBindReadOnlyPaths
/BindPaths
These three propositions are not in this PR, as they most likely could break existing setups, but I have been using them in my personal server, and they seem to work well:
Possible additional hardening
Note: if you want to test this and you are on NixOS 20.03, note that the
PrivateUsers = true;
doesn't seem to work with systemd 243.Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)cc @nyanloutre @purcell what do you think?