New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/nginx: use sandboxing mode #85567
Conversation
A fully up-to-date list of hardening options our sandbox module applies: {
# Filesystem stuff
ProtectSystem = "strict"; # Prevent writing to most of /
ProtectHome = true; # Prevent accessing /home and /root
PrivateTmp = true; # Give an own directory under /tmp
PrivateDevices = true; # Deny access to most of /dev
ProtectKernelTunables = true; # Protect some parts of /sys
ProtectControlGroups = true; # Remount cgroups read-only
RestrictSUIDSGID = true; # Prevent creating SETUID/SETGID files
PrivateMounts = true; # Give an own mount namespace
# Capabilities
CapabilityBoundingSet = ""; # Allow no capabilities at all
NoNewPrivileges = true; # Disallow getting more capabilities. This is also implied by other options.
# Kernel stuff
ProtectKernelModules = true; # Prevent loading of kernel modules
SystemCallArchitectures = "native"; # Usually no need to disable this
ProtectKernelLogs = true; # Prevent access to kernel logs
ProtectClock = true; # Prevent setting the RTC
# Networking
RestrictAddressFamilies = ""; # Example: "AF_UNIX AF_INET AF_INET6"
PrivateNetwork = true; # Isolate the entire network
# Misc
LockPersonality = true; # Prevent change of the personality
ProtectHostname = true; # Give an own UTS namespace
RestrictRealtime = true; # Prevent switching to RT scheduling
MemoryDenyWriteExecute = true; # Maybe disable this for interpreters like python
PrivateUsers = true; # If anything randomly breaks, it's mostly because of this
} I understand some of these are not useful at all (like Also, |
With
With
With
|
Our nginx module uses these for the capabilities:
|
Updated. |
Are you sure it needs AF_NETLINK? It's weird because it's lacking from our module, but is then allowed in AppArmor later on 🤔 @ajs124 any idea? |
I have no recollection of anything related to this, so you might as well dig through the code yourself @dasJ. |
Also it's worth mentioning in the changelog that |
Remove this option
Remove the option |
It's a useful way of mitigating more severe problems when an attacker has already gained some access, so I'd keep it but people using the lua module should know that it breaks the module. |
Add this wariant? |
Probably for the best, yes :)
|
With |
Not worked with |
@dasJ need backport to 20-03? |
6a4b65f
to
47f89ba
Compare
This can't be backported to 20.03, which is almost released already. I'm also a bit afraid about the things some of these options might break - do any other distros already have a nginx unit with some sandboxing options we could take some inspiration from? |
@GrahamcOfBorg build nginx |
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; | ||
# Security | ||
NoNewPrivileges = true; | ||
# Sandboxing | ||
ProtectSystem = "strict"; | ||
ProtectHome = true; | ||
PrivateTmp = true; | ||
PrivateDevices = true; | ||
ProtectHostname = true; | ||
ProtectKernelTunables = true; | ||
ProtectKernelModules = true; | ||
ProtectControlGroups = true; | ||
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; | ||
LockPersonality = true; | ||
MemoryDenyWriteExecute = mkDefault true; | ||
RestrictRealtime = true; | ||
RestrictSUIDSGID = true; | ||
PrivateMounts = true; | ||
# System Call Filtering | ||
SystemCallArchitectures = "native"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Again, I'd feel wayy more comfortable if we'd have more tests covering standard usecases, and see they're not broken.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need create test to check sandbox mode with perl /lua scripts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes. We need more tests to ensure things are not broken.
} // optionalAttrs cfg.enableSandbox { | ||
# Sandboxing | ||
ProtectSystem = "strict"; | ||
ProtectHome = mkDefault true; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about moving ProtectSystem
, ProtectHome
and MemoryDenyWriteExecute
to enableSandbox
and move other options above the conditional? I think those 3 options are the controversial ones that could break with peoples setup, where we need more feedback.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This variant?
# Security
NoNewPrivileges = true;
# Sandboxing
PrivateTmp = true;
PrivateDevices = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
LockPersonality = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
PrivateMounts = true;
# System Call Filtering
SystemCallArchitectures = "native";
} // optionalAttrs cfg.enableSandbox {
ProtectSystem = "strict";
ProtectHome = mkDefault true;
MemoryDenyWriteExecute = !(builtins.any (mod: (mod.allowMemoryWriteExecute or false)) pkgs.nginx.modules);
};
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. This looks good to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In this variant, it will not work to disable the options PrivateTmp
and etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right. PrivateTmp
should be also in the sandbox
section. The rest looks safe to me, but correct me if I am wrong.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Or leave the current variant, or rename cfg.enableSandbox
to cfg.enableSandboxStrict
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I prefer the current variant.
I integrated the earlier module from #60646 in https://github.com/nixbitcoin/nix-bitcoin/tree/harden-nginx and never had any problems. I would be very happy to see |
Consider adding |
9838d49
to
fc58cb5
Compare
Added |
@GrahamcOfBorg test nginx |
The allowMemoryWriteExecute option is required to checking enabled nginxModules and disable the nginx sandbox mode MemoryDenyWriteExecute.
(cherry picked from commit 6c437ef)
<listitem> | ||
<para> | ||
Add option <literal>services.nginx.enableSandbox</literal> to starting Nginx web server with additional sandbox/hardening options. | ||
By default, write access to <literal>services.nginx.stateDir</literal> is allowed. To allow writing to other folders, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that the release notes should also have mentioned that due to the added ProtectHome = mkDefault true;
, nginx can no longer serve files from users' home directories.
It's not uncommon to serve subdirectories of home directories publicly (e.g. /home/*/public_html/
), and this change breaks that without any mention.
I made PR #103147 for that. Needs 20.09 backport. |
…-notes manual: nginx: Mention ProtectHome in release notes. See #85567
See NixOS#85567 (review) (cherry picked from commit 2f845dc)
Motivation for this change
PR based on #60646
Enable run nginx web service in sandboxing mode.
cc @dasJ @flokli @aanderse @Mic92
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)