A fully up-to-date list of hardening options our sandbox module applies:

{
            # Filesystem stuff
            ProtectSystem = "strict"; # Prevent writing to most of /
            ProtectHome = true; # Prevent accessing /home and /root
            PrivateTmp = true; # Give an own directory under /tmp
            PrivateDevices = true; # Deny access to most of /dev
            ProtectKernelTunables = true; # Protect some parts of /sys
            ProtectControlGroups = true; # Remount cgroups read-only
            RestrictSUIDSGID = true; # Prevent creating SETUID/SETGID files
            PrivateMounts = true; # Give an own mount namespace

            # Capabilities
            CapabilityBoundingSet = ""; # Allow no capabilities at all
            NoNewPrivileges = true; # Disallow getting more capabilities. This is also implied by other options.

            # Kernel stuff
            ProtectKernelModules = true; # Prevent loading of kernel modules
            SystemCallArchitectures = "native"; # Usually no need to disable this
            ProtectKernelLogs = true; # Prevent access to kernel logs
            ProtectClock = true; # Prevent setting the RTC

            # Networking
            RestrictAddressFamilies = ""; # Example: "AF_UNIX AF_INET AF_INET6"
            PrivateNetwork = true; # Isolate the entire network

            # Misc
            LockPersonality = true; # Prevent change of the personality
            ProtectHostname = true; # Give an own UTS namespace
            RestrictRealtime = true; # Prevent switching to RT scheduling
            MemoryDenyWriteExecute = true; # Maybe disable this for interpreters like python
            PrivateUsers = true; # If anything randomly breaks, it's mostly because of this
}

I understand some of these are not useful at all (like PrivateNetwork), but maybe you find some of these useful.

Also, ProtectClock and ProtectKernelLogs are not yet supported by the NixOS systemd.

With PrivateUsers = true; error:

nginx.service: Failed to set up user namespacing: No space left on device
nginx.service: Failed at step USER spawning /nix/store/snsli9q204d8xhiwx8vr5faq5snd153c-unit-script-nginx-pre-start: No space left on device

With ProtectClock = true; and ProtectKernelLogs = true; warning:

systemd[1]: /nix/store/bsjqsa1jpy2kgxr5h0y177hcn7wpv9df-unit-nginx.service/nginx.service:26: Unknown key name 'ProtectClock' in section 'Service', ignoring.
systemd[1]: /nix/store/bsjqsa1jpy2kgxr5h0y177hcn7wpv9df-unit-nginx.service/nginx.service:30: Unknown key name 'ProtectKernelLogs' in section 'Service', ignoring.

With CapabilityBoundingSet = "";

nginx.service: Failed to apply ambient capabilities (before UID change): Operation not permitted
nginx.service: Failed at step CAPABILITIES spawning /nix/store/snsli9q204d8xhiwx8vr5faq5snd153c-unit-script-nginx-pre-start: Operation not permitted

Our nginx module uses these for the capabilities:

      CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ];
      AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ];

Updated.

Are you sure it needs AF_NETLINK? It's weird because it's lacking from our module, but is then allowed in AppArmor later on 🤔 @ajs124 any idea?

I have no recollection of anything related to this, so you might as well dig through the code yourself @dasJ.

Also it's worth mentioning in the changelog that MemoryDenyWriteExecute will probably break the nginx lua module 😩

Remove this option

Also it's worth mentioning in the changelog that MemoryDenyWriteExecute will probably break the nginx lua module 😩

Remove the option MemoryDenyWriteExecute?

It's a useful way of mitigating more severe problems when an attacker has already gained some access, so I'd keep it but people using the lua module should know that it breaks the module.

Add this wariant?
MemoryDenyWriteExecute = mkDefault true;

With MemoryDenyWriteExecute = true; nginx not worked, time-out open test page.

Not worked with pkgs.nginxModules.pagespeed

@dasJ need backport to 20-03?

This can't be backported to 20.03, which is almost released already.

I'm also a bit afraid about the things some of these options might break - do any other distros already have a nginx unit with some sandboxing options we could take some inspiration from?

@GrahamcOfBorg build nginx
@GrahamcOfBorg test nginx

I integrated the earlier module from #60646 in https://github.com/nixbitcoin/nix-bitcoin/tree/harden-nginx and never had any problems. I would be very happy to see services.nginx.enableSandbox implemented in nixpkgs.

Consider adding RemoveIPC systemd hardening option.

Added RemoveIPC

@GrahamcOfBorg test nginx
@GrahamcOfBorg test nginx-sandbox

I think that the release notes should also have mentioned that due to the added ProtectHome = mkDefault true;, nginx can no longer serve files from users' home directories.

I made PR #103147 for that.

Needs 20.09 backport.