nixos/public-inbox: support enabling confinement

Add support for enabling confinement but does not enable it by default yet because so far no module within NixOS uses confinement hence that would set a precedent.
2 years ago · c646d375d3
parent 8b2b5be3b5
commit c646d375d3
1 changed files with 114 additions and 95 deletions
--- a/nixos/modules/services/mail/public-inbox.nix
+++ b/nixos/modules/services/mail/public-inbox.nix
@ -48,78 +48,98 @@ let
    let proto = removeSuffix "d" srv;
        needNetwork = builtins.hasAttr proto cfg && cfg.${proto}.port == null;
    in {
-    # Enable JIT-compiled C (via Inline::C)
+    serviceConfig = {
-    Environment = [ "PERL_INLINE_DIRECTORY=/run/public-inbox-${srv}/perl-inline" ];
+      # Enable JIT-compiled C (via Inline::C)
-    # NonBlocking is REQUIRED to avoid a race condition
+      Environment = [ "PERL_INLINE_DIRECTORY=/run/public-inbox-${srv}/perl-inline" ];
-    # if running simultaneous services.
+      # NonBlocking is REQUIRED to avoid a race condition
-    NonBlocking = true;
+      # if running simultaneous services.
-    #LimitNOFILE = 30000;
+      NonBlocking = true;
-    User = config.users.users."public-inbox".name;
+      #LimitNOFILE = 30000;
-    Group = config.users.groups."public-inbox".name;
+      User = config.users.users."public-inbox".name;
-    RuntimeDirectory = [
+      Group = config.users.groups."public-inbox".name;
-      "public-inbox-${srv}/perl-inline"
+      RuntimeDirectory = [
-      # Create RootDirectory= in the host's mount namespace.
+          "public-inbox-${srv}/perl-inline"
-      "public-inbox-${srv}/root"
+        ];
-    ];
+      RuntimeDirectoryMode = "700";
-    RuntimeDirectoryMode = "700";
+      # This is for BindPaths= and BindReadOnlyPaths=
-    # Avoid mounting RootDirectory= in the own RootDirectory= of ExecStart='s mount namespace.
+      # to allow traversal of directories they create inside RootDirectory=
-    InaccessiblePaths = ["-+/run/public-inbox-${srv}/root"];
+      UMask = "0066";
-    # This is for BindPaths= and BindReadOnlyPaths=
+      StateDirectory = ["public-inbox"];
-    # to allow traversal of directories they create in RootDirectory=.
+      StateDirectoryMode = "0750";
-    UMask = "0066";
+      WorkingDirectory = stateDir;
-    RootDirectory = "/run/public-inbox-${srv}/root";
+      BindReadOnlyPaths = [
-    RootDirectoryStartOnly = true;
+          "/etc"
-    WorkingDirectory = stateDir;
+          "/run/systemd"
-    MountAPIVFS = true;
+          "${config.i18n.glibcLocales}"
-    BindReadOnlyPaths = [
+        ] ++
-      builtins.storeDir
+        mapAttrsToList (name: inbox: inbox.description) cfg.inboxes ++
-      "/etc"
+        # Without confinement the whole Nix store
-      "/run"
+        # is made available to the service
-      # For Inline::C
+        optionals (!config.systemd.services."public-inbox-${srv}".confinement.enable) [
-      "/bin/sh"
+          "${pkgs.dash}/bin/dash:/bin/sh"
-    ];
+          builtins.storeDir
-    BindPaths = [
+        ];
-      stateDir
+      # The following options are only for optimizing:
-    ];
+      # systemd-analyze security public-inbox-'*'
-    # The following options are only for optimizing:
+      AmbientCapabilities = "";
-    # systemd-analyze security public-inbox-'*'
+      CapabilityBoundingSet = "";
-    AmbientCapabilities = "";
+      # ProtectClock= adds DeviceAllow=char-rtc r
-    CapabilityBoundingSet = "";
+      DeviceAllow = "";
-    # ProtectClock= adds DeviceAllow=char-rtc r
+      LockPersonality = true;
-    DeviceAllow = "";
+      MemoryDenyWriteExecute = true;
-    LockPersonality = true;
+      NoNewPrivileges = true;
-    MemoryDenyWriteExecute = true;
+      PrivateNetwork = mkDefault (!needNetwork);
-    NoNewPrivileges = true;
+      ProcSubset = "pid";
-    PrivateDevices = true;
+      ProtectClock = true;
-    PrivateMounts = true;
+      ProtectHome = mkDefault true;
-    PrivateNetwork = mkDefault (!needNetwork);
+      ProtectHostname = true;
-    PrivateTmp = true;
+      ProtectKernelLogs = true;
-    PrivateUsers = true;
+      ProtectProc = "invisible";
-    ProcSubset = "pid";
+      #ProtectSystem = "strict";
-    ProtectClock = true;
+      RemoveIPC = true;
-    ProtectControlGroups = true;
+      RestrictAddressFamilies = [ "AF_UNIX" ] ++
-    ProtectHome = mkDefault true;
+        optionals needNetwork [ "AF_INET" "AF_INET6" ];
-    ProtectHostname = true;
+      RestrictNamespaces = true;
-    ProtectKernelLogs = true;
+      RestrictRealtime = true;
-    ProtectKernelModules = true;
+      RestrictSUIDSGID = true;
-    ProtectKernelTunables = true;
+      SystemCallFilter = [
-    ProtectProc = "invisible";
+        "@system-service"
-    ProtectSystem = "strict";
+        "~@aio" "~@chown" "~@keyring" "~@memlock" "~@resources"
-    RemoveIPC = true;
+        # Not removing @setuid and @privileged because Inline::C needs them.
-    RestrictAddressFamilies = [ "AF_UNIX" ]
+        # Not removing @timer because git upload-pack needs it.
-      ++ optionals needNetwork [ "AF_INET" "AF_INET6" ];
+      ];
-    RestrictNamespaces = true;
+      SystemCallArchitectures = "native";
-    RestrictRealtime = true;
+
-    RestrictSUIDSGID = true;
+      # The following options are redundant when confinement is enabled
-    SystemCallFilter = [
+      RootDirectory = "/var/empty";
-      "@system-service"
+      TemporaryFileSystem = "/";
-      "~@aio" "~@chown" "~@keyring" "~@memlock" "~@resources"
+      PrivateMounts = true;
-      # Not removing @setuid and @privileged
+      MountAPIVFS = true;
-      # because Inline::C needs them.
+      PrivateDevices = true;
-      # Not removing @timer
+      PrivateTmp = true;
-      # because git upload-pack needs it.
+      PrivateUsers = true;
-    ];
+      ProtectControlGroups = true;
-    SystemCallArchitectures = "native";
+      ProtectKernelModules = true;
      ProtectKernelTunables = true;
    };
    confinement = {
      # Until we agree upon doing it directly here in NixOS
      # https://github.com/NixOS/nixpkgs/pull/104457#issuecomment-1115768447
      # let the user choose to enable the confinement with:
      # systemd.services.public-inbox-httpd.confinement.enable = true;
      # systemd.services.public-inbox-imapd.confinement.enable = true;
      # systemd.services.public-inbox-init.confinement.enable = true;
      # systemd.services.public-inbox-nntpd.confinement.enable = true;
      #enable = true;
      mode = "full-apivfs";
      # Inline::C needs a /bin/sh, and dash is enough
      binSh = "${pkgs.dash}/bin/dash";
      packages = [
          pkgs.iana-etc
          (getLib pkgs.nss)
          pkgs.tzdata
        ];
    };
  };
 in
@ -168,6 +188,7 @@ in
          type = types.str;
          example = "user/dev discussion of public-inbox itself";
          description = "User-visible description for the repository.";
          apply = pkgs.writeText "public-inbox-description-${name}";
        };
        options.newsgroup = mkOption {
          type = with types; nullOr str;
@ -409,24 +430,24 @@ in
      ) [ "imap" "http" "nntp" ]);
    systemd.services = mkMerge [
      (mkIf cfg.imap.enable
-        { public-inbox-imapd = {
+        { public-inbox-imapd = mkMerge [(serviceConfig "imapd") {
          after = [ "public-inbox-init.service" "public-inbox-watch.service" ];
          requires = [ "public-inbox-init.service" ];
-          serviceConfig = mkMerge [(serviceConfig "imapd") {
+          serviceConfig = {
            ExecStart = escapeShellArgs (
              [ "${cfg.package}/bin/public-inbox-imapd" ] ++
              cfg.imap.args ++
              optionals (cfg.imap.cert != null) [ "--cert" cfg.imap.cert ] ++
              optionals (cfg.imap.key != null) [ "--key" cfg.imap.key ]
            );
-          }];
+          };
-        };
+        }];
      })
      (mkIf cfg.http.enable
-        { public-inbox-httpd = {
+        { public-inbox-httpd = mkMerge [(serviceConfig "httpd") {
          after = [ "public-inbox-init.service" "public-inbox-watch.service" ];
          requires = [ "public-inbox-init.service" ];
-          serviceConfig = mkMerge [(serviceConfig "httpd") {
+          serviceConfig = {
            ExecStart = escapeShellArgs (
              [ "${cfg.package}/bin/public-inbox-httpd" ] ++
              cfg.http.args ++
@ -458,41 +479,41 @@ in
                }
              '') ]
            );
-          }];
+          };
-        };
+        }];
      })
      (mkIf cfg.nntp.enable
-        { public-inbox-nntpd = {
+        { public-inbox-nntpd = mkMerge [(serviceConfig "nntpd") {
          after = [ "public-inbox-init.service" "public-inbox-watch.service" ];
          requires = [ "public-inbox-init.service" ];
-          serviceConfig = mkMerge [(serviceConfig "nntpd") {
+          serviceConfig = {
            ExecStart = escapeShellArgs (
              [ "${cfg.package}/bin/public-inbox-nntpd" ] ++
              cfg.nntp.args ++
              optionals (cfg.nntp.cert != null) [ "--cert" cfg.nntp.cert ] ++
              optionals (cfg.nntp.key != null) [ "--key" cfg.nntp.key ]
            );
-          }];
+          };
-        };
+        }];
      })
      (mkIf (any (inbox: inbox.watch != []) (attrValues cfg.inboxes)
        || cfg.settings.publicinboxwatch.watchspam != null)
-        { public-inbox-watch = {
+        { public-inbox-watch = mkMerge [(serviceConfig "watch") {
          inherit (cfg) path;
          wants = [ "public-inbox-init.service" ];
          requires = [ "public-inbox-init.service" ] ++
            optional (cfg.settings.publicinboxwatch.spamcheck == "spamc") "spamassassin.service";
          wantedBy = [ "multi-user.target" ];
-          serviceConfig = mkMerge [(serviceConfig "watch") {
+          serviceConfig = {
            ExecStart = "${cfg.package}/bin/public-inbox-watch";
            ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
-          }];
+          };
-        };
+        }];
      })
      ({ public-inbox-init = let
          PI_CONFIG = gitIni.generate "public-inbox.ini"
            (filterAttrsRecursive (n: v: v != null) cfg.settings);
-          in {
+          in mkMerge [(serviceConfig "init") {
          wantedBy = [ "multi-user.target" ];
          restartIfChanged = true;
          restartTriggers = [ PI_CONFIG ];
@ -520,7 +541,7 @@ in
                rm -rf $conf_dir
              fi
-              ln -sf ${pkgs.writeText "description" inbox.description} \
+              ln -sf ${inbox.description} \
                ${stateDir}/inboxes/${escapeShellArg name}/description
              export GIT_DIR=${stateDir}/inboxes/${escapeShellArg name}/all.git
@ -540,18 +561,16 @@ in
              ${cfg.package}/bin/public-inbox-index "$inbox"
            done
          '';
-          serviceConfig = mkMerge [(serviceConfig "init") {
+          serviceConfig = {
            Type = "oneshot";
            RemainAfterExit = true;
            StateDirectory = [
              "public-inbox"
              "public-inbox/.public-inbox"
              "public-inbox/.public-inbox/emergency"
              "public-inbox/inboxes"
            ];
-            StateDirectoryMode = "0750";
+          };
-          }];
+        }];
        };
      })
    ];
    environment.systemPackages = with pkgs; [ cfg.package ];