nixos/github-runner: systemd service hardening

2 years ago · 334b30c464
parent baedfc4da9
commit 334b30c464
3 changed files with 23 additions and 0 deletions
--- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
@ -978,6 +978,15 @@
          <literal>true</literal>.
        </para>
      </listitem>
+      <listitem>
+        <para>
+          <literal>services.github-runner</literal> has been hardened.
+          Notably address families and system calls have been
+          restricted, which may adversely affect some kinds of testing,
+          e.g. using <literal>AF_BLUETOOTH</literal> to test bluetooth
+          devices.
+        </para>
+      </listitem>
      <listitem>
        <para>
          The terraform 0.12 compatibility has been removed and the
--- a/nixos/doc/manual/release-notes/rl-2205.section.md
+++ b/nixos/doc/manual/release-notes/rl-2205.section.md
@ -357,6 +357,10 @@ In addition to numerous new and upgraded packages, this release has the followin

 - The Tor SOCKS proxy is now actually disabled if `services.tor.client.enable` is set to `false` (the default). If you are using this functionality but didn't change the setting or set it to `false`, you now need to set it to `true`.

+- `services.github-runner` has been hardened.  Notably address families and
+  system calls have been restricted, which may adversely affect some kinds of
+  testing, e.g. using `AF_BLUETOOTH` to test bluetooth devices.
+
 - The terraform 0.12 compatibility has been removed and the `terraform.withPlugins` and `terraform-providers.mkProvider` implementations simplified. Providers now need to be stored under
 `$out/libexec/terraform-providers/<registry>/<owner>/<name>/<version>/<os>_<arch>/terraform-provider-<name>_v<version>` (which mkProvider does).

--- a/nixos/modules/services/continuous-integration/github-runner.nix
+++ b/nixos/modules/services/continuous-integration/github-runner.nix
@ -299,6 +299,16 @@ in
        RestrictRealtime = true;
        RestrictSUIDSGID = true;
        UMask = "0066";
+        ProtectProc = "invisible";
+        ProcSubset = "pid";
+        SystemCallFilter = [
+          "~@debug"
+          "~@mount"
+          "~@privileged"
+          "~@cpu-emulation"
+          "~@obsolete"
+        ];
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ];

        # Needs network access
        PrivateNetwork = false;