nixos/syncthing.nix: Sandbox the systemd service. #78134
Conversation
Using systemd sandboxing features to harden the syncthing service.
| RestrictNamespaces = true; | ||
| RestrictRealtime = true; | ||
| RestrictSUIDSGID = true; | ||
| CapabilityBoundingSet = [ |
There was a problem hiding this comment.
Can we invert this list, by only listing the caps we need?
http://0pointer.de/blog/projects/security.html does it that way, and I'm not sure why we'd need it the other way round.
There was a problem hiding this comment.
There are ~40 capabilities.
While I'm pretty sure we don't want to use some of them, I'm unsure about some other and fear I'm going to break the service in unexpected ways.
Since the test coverage here is close to 0, I'd like to start collecting the low hanging fruit by blocking the obvious worst offenders.
Maybe somebody else will be either familiar enough with the syncthing codebase either patient enough to test the capabilities one by one.
| PrivateTmp = true; | ||
| PrivateUsers = true; | ||
| ProtectControlGroups = true; | ||
| ProtectHostname = true; |
There was a problem hiding this comment.
More a curious question: Can the process change its hostname in first place, if it isn't run as root?
There was a problem hiding this comment.
You can do it with some capabilities, at least with CAP_SYS_ADMIN. That said, this capability is blocked by our current CapabilityBoundingSet.
Better being safe than sorry.
Motivation for this change
The current syncthing service does not leverage the
systemdservice sandboxing features.Hardening the service using those.
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)cc @Lassulus