nixos/babeld: run as DynamicUser

The last bits to prevent babeld from running unprivileged was its kernel_setup_interface routine, that wants to set per interface rp_filter. This behaviour has been disabled in a patch that has been submitted upstream at https://github.com/jech/babeld/pull/68 and reuses the skip-kernel-setup config option. → Overall exposure level for babeld.service: 1.7 OK 🙂
4 years ago · e8988f7a30
parent 70c96f0e02
commit e8988f7a30
2 changed files with 21 additions and 2 deletions
--- a/nixos/doc/manual/release-notes/rl-2105.xml
+++ b/nixos/doc/manual/release-notes/rl-2105.xml
@ -680,6 +680,13 @@ environment.systemPackages = [
     All CUDA toolkit versions prior to CUDA 10 have been removed.
    </para>
   </listitem>
+   <listitem>
+     <para>
+       The <package>babeld</package> service is now being run as an unprivileged user. To achieve that the module configures
+       <literal>skip-kernel-setup true</literal> and takes care of setting forwarding and rp_filter sysctls by itself as well
+       as for each interface in <varname>services.babeld.interfaces</varname>.
+     </para>
+   </listitem>
  </itemizedlist>
 </section>

--- a/nixos/modules/services/networking/babeld.nix
+++ b/nixos/modules/services/networking/babeld.nix
@ -19,7 +19,10 @@ let
    "interface ${name} ${paramsString interface}\n";

  configFile = with cfg; pkgs.writeText "babeld.conf" (
-    (optionalString (cfg.interfaceDefaults != null) ''
+    ''
+      skip-kernel-setup true
+    ''
+    + (optionalString (cfg.interfaceDefaults != null) ''
      default ${paramsString cfg.interfaceDefaults}
    '')
    + (concatMapStrings interfaceConfig (attrNames cfg.interfaces))
@ -84,13 +87,22 @@ in

  config = mkIf config.services.babeld.enable {

+    boot.kernel.sysctl = {
+      "net.ipv6.conf.all.forwarding" = 1;
+      "net.ipv6.conf.all.accept_redirects" = 0;
+      "net.ipv4.conf.all.forwarding" = 1;
+      "net.ipv4.conf.all.rp_filter" = 0;
+    } // lib.mapAttrs' (ifname: _: lib.nameValuePair "net.ipv4.conf.${ifname}.rp_filter" (lib.mkDefault 0)) config.services.babeld.interfaces;
+
    systemd.services.babeld = {
      description = "Babel routing daemon";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        ExecStart = "${pkgs.babeld}/bin/babeld -c ${configFile} -I /run/babeld/babeld.pid -S /var/lib/babeld/state";
+        AmbientCapabilities = [ "CAP_NET_ADMIN" ];
        CapabilityBoundingSet = [ "CAP_NET_ADMIN" ];
+        DynamicUser = true;
        IPAddressAllow = [ "fe80::/64" "ff00::/8" "::1/128" "127.0.0.0/8" ];
        IPAddressDeny = "any";
        LockPersonality = true;
@ -98,7 +110,7 @@ in
        MemoryDenyWriteExecute = true;
        ProtectSystem = "strict";
        ProtectClock = true;
-        ProtectKernelTunables = false; # Couldn't write sysctl: Read-only file system
+        ProtectKernelTunables = true;
        ProtectKernelModules = true;
        ProtectKernelLogs = true;
        ProtectControlGroups = true;