Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/zerotierone: Sandbox the systemd service #64384

Closed
wants to merge 1 commit into from
Closed

nixos/zerotierone: Sandbox the systemd service #64384

wants to merge 1 commit into from

Conversation

gazally
Copy link
Contributor

@gazally gazally commented Jul 6, 2019

Motivation for this change

Reducing the number of services that run as root with full privileges.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

grahamc
grahamc reviewed Jul 6, 2019
View reviewed changes
nixos/modules/services/networking/zerotierone.nix
@@ -44,15 +44,39 @@ in
wantedBy = [ "multi-user.target" ];
preStart = ''
mkdir -p /var/lib/zerotier-one/networks.d
chmod 700 /var/lib/zerotier-one
chown -R root:root /var/lib/zerotier-one
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will this break existing installations?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No. See line 55 and 56

@arianvp
Copy link
Member

arianvp commented Jul 6, 2019
edited

@gazally are you aware of the systemd.services.<name>.confinement option in NixOS? Maybe it is of intereset to sandbox it even more

@gazally
Copy link
Contributor Author

gazally commented Jul 6, 2019

No, it's new to me but it looks useful. I tried it out with mode = "chroot-only" and the service seems to work fine but I get this log message:

Jul 06 10:17:52 sockeye systemd[24556]: Failed to create directory at /nix/store/0nqm27ihpwsd38mahblbrqxi92xy9lgm-zerotierone-chroot/usr: Read-only file system

This is issued before the pre-start script starts.

@arianvp
Copy link
Member

arianvp commented Jul 6, 2019
edited

Oh apparently RootDirectory and StateDirectory can not be combined as it will try to add the StateDirectory to the immutable RootDirectory which will fail. So alas :( I'm not sure if this is a bug or desired behaviour.

Edit:
Systemd insists in creating /usr in this read-only root directory before TemporaryFilesystem=/ is bind-mounted. And thus it fails. I have filed a bug for this here: #64392

Anyhow, the error is nonfatal, and just a warning log message. systemd just continues executing everything just fine. It's annoying but shouldn't break anything.

@arianvp
Copy link
Member

arianvp commented Jul 6, 2019

@gazally conclusion is that you can ignore that error message. It isn't fatal. I'll see if I can make systemd supress the message in a separate PR.

@gazally
Copy link
Contributor Author

gazally commented Jul 6, 2019

I've pushed a revised version with confinement enabled. It appears that confinement makes ProtectHome and ProtectSystem unnecessary so I removed those. While I was at it I decided to explicitly set to false the systemd settings which disagree with zerotier-one, in case the underlying defaults are changed at some point in the future.

@arianvp
Copy link
Member

arianvp commented Sep 5, 2019

This looks fine to me.

aszlig
aszlig reviewed Oct 18, 2019
View reviewed changes
nixos/modules/services/networking/zerotierone.nix
PrivateTmp = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please note that this implies MountAPIVFS, so you could just go with the default confinement mode of full-apivfs and remove these options.

@stale
Copy link

stale bot commented Jun 1, 2020

Thank you for your contributions.
This has been automatically marked as stale because it has had no activity for 180 days.
If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.
Here are suggestions that might help resolve this more quickly:

  1. Search for maintainers and people that previously touched the
    related code and @ mention them in a comment.
  2. Ask on the NixOS Discourse. 3. Ask on the #nixos channel on
    irc.freenode.net.

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jun 1, 2020
@gazally gazally closed this Jun 2, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@grahamc grahamc grahamc left review comments

@aszlig aszlig aszlig left review comments

@arianvp arianvp arianvp left review comments

Assignees
No one assigned
Labels
2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md 6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@gazally @arianvp @grahamc @aszlig