New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/syncthing.nix: Sandbox the systemd service. #78134
Conversation
Using systemd sandboxing features to harden the syncthing service.
RestrictNamespaces = true; | ||
RestrictRealtime = true; | ||
RestrictSUIDSGID = true; | ||
CapabilityBoundingSet = [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we invert this list, by only listing the caps we need?
http://0pointer.de/blog/projects/security.html does it that way, and I'm not sure why we'd need it the other way round.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are ~40 capabilities.
While I'm pretty sure we don't want to use some of them, I'm unsure about some other and fear I'm going to break the service in unexpected ways.
Since the test coverage here is close to 0, I'd like to start collecting the low hanging fruit by blocking the obvious worst offenders.
Maybe somebody else will be either familiar enough with the syncthing codebase either patient enough to test the capabilities one by one.
PrivateTmp = true; | ||
PrivateUsers = true; | ||
ProtectControlGroups = true; | ||
ProtectHostname = true; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
More a curious question: Can the process change its hostname in first place, if it isn't run as root?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can do it with some capabilities, at least with CAP_SYS_ADMIN
. That said, this capability is blocked by our current CapabilityBoundingSet
.
Better being safe than sorry.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense, thanks!
Motivation for this change
The current syncthing service does not leverage the
systemd
service sandboxing features.Hardening the service using those.
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)cc @Lassulus