More strict config for kmod-static-nodes

Signed-off-by: Ganga Ram <[email protected]>
tiiuae · Jan 24, 2025 · bb5e549 · bb5e549
1 parent 0d6b6b1
commit bb5e549
Showing 1 changed file with 11 additions and 110 deletions.
diff --git a/modules/common/systemd/hardened-configs/common/kmod-static-nodes.nix b/modules/common/systemd/hardened-configs/common/kmod-static-nodes.nix
@@ -2,133 +2,36 @@
 # SPDX-License-Identifier: Apache-2.0
 #
 {
-  ##############
-  # Networking #
-  ##############
-
   PrivateNetwork = true;
-  # IPAccounting=yes
   IPAddressDeny = "any";
-  RestrictAddressFamilies = [
-    #"~AF_PACKET"
-    #"~AF_NETLINK"
-    #"~AF_UNIX"
-    #"~AF_INET"
-    #"~AF_INET6"
-  ];
-
-  ###############
-  # File system #
-  ###############
-
-  # ProtectHome=true;
-  ProtectSystem = "full";
+  RestrictAddressFamilies = "none";
+  RestrictNamespaces = true;
   ProtectProc = "noaccess";
-  # ReadWritePaths=[ "/etc"];
-  # PrivateTmp=true;
-
-  # Not applicable for the service runs as root
-  # PrivateMounts=true;
-  # ProcSubset="all";
-
-  ###################
-  # User separation #
-  ###################
-
-  # Not applicable for the service runs as root
+  PrivateMounts = true; # ##
   PrivateUsers = true;
-  # DynamicUser=true;
-
-  ###########
-  # Devices #
-  ###########
-
-  # PrivateDevices=false;
-  # DeviceAllow=/dev/null
-
-  ##########
-  # Kernel #
-  ##########
-
+  DynamicUser = false;
+  PrivateDevices = false;
   ProtectKernelTunables = true;
   ProtectKernelModules = true;
   ProtectKernelLogs = true;
-
-  ########
-  # Misc #
-  ########
-
   Delegate = false;
-  # KeyringMode="private";
+  KeyringMode = "private";
   NoNewPrivileges = true;
   UMask = 77;
   ProtectHostname = true;
   ProtectClock = true;
   ProtectControlGroups = true;
-  RestrictNamespaces = true;
-  /*
-      RestrictNamespaces=[
-     #"~user"
-     #"~pid"
-     #"~net"
-     #"~uts"
-     #"~mnt"
-     #"~cgroup"
-     #"~ipc"
-    ];
-  */
   LockPersonality = true;
   MemoryDenyWriteExecute = true;
   RestrictRealtime = true;
   RestrictSUIDSGID = true;
-  # RemoveIPC=true
   SystemCallArchitectures = "native";
-  # NotifyAccess=false;
-
-  ################
-  # Capabilities #
-  ################
+  NotifyAccess = "main";
 
-  #AmbientCapabilities=
   CapabilityBoundingSet = [
-    "~CAP_SYS_PACCT"
-    "~CAP_KILL"
-    # "~CAP_WAKE_ALARM"
-    # "~CAP_DAC_*
-    "~CAP_FOWNER"
-    # "~CAP_IPC_OWNER"
-    # "~CAP_BPF"
-    "~CAP_LINUX_IMMUTABLE"
-    # "~CAP_IPC_LOCK"
-    "~CAP_SYS_MODULE"
-    "~CAP_SYS_TTY_CONFIG"
-    "~CAP_SYS_BOOT"
-    "~CAP_SYS_CHROOT"
-    # "~CAP_BLOCK_SUSPEND"
-    "~CAP_LEASE"
-    "~CAP_MKNOD"
-    # "~CAP_CHOWN"
-    # "~CAP_FSETID"
-    # "~CAP_SETFCAP"
-    # "~CAP_SETUID"
-    # "~CAP_SETGID"
-    # "~CAP_SETPCAP"
-    # "~CAP_MAC_ADMIN"
-    # "~CAP_MAC_OVERRIDE"
-    "~CAP_SYS_RAWIO"
-    "~CAP_SYS_PTRACE"
-    # "~CAP_SYS_NICE"
-    # "~CAP_SYS_RESOURCE"
-    "~CAP_NET_ADMIN"
-    "~CAP_NET_BIND_SERVICE"
-    "~CAP_NET_BROADCAST"
-    "~CAP_NET_RAW"
-    # "~CAP_AUDIT_CONTROL"
-    # "~CAP_AUDIT_READ"
-    # "~CAP_AUDIT_WRITE"
-    "~CAP_SYS_ADMIN"
-    # "~CAP_SYSLOG"
-    # "~CAP_SYS_TIME
+    "CAP_SYS_MODULE"
+    "CAP_MKNOD"
+    "CAP_SYS_ADMIN"
   ];
 
   ################
@@ -137,13 +40,11 @@
 
   SystemCallFilter = [
     "~@clock"
-    # "~@cpu-emulation"
+    "~@cpu-emulation"
     "~@debug"
     "~@module"
     "~@mount"
     "~@obsolete"
-    # "~@privileged"
-    # "~@raw-io"
     "~@reboot"
     "~@resources"
     "~@swap"