From f104bc79e19fd02ef4ebe7c49f76be6425c334a9 Mon Sep 17 00:00:00 2001 From: Anthony Roussel Date: Wed, 17 Apr 2024 21:52:28 +0200 Subject: [PATCH] nixos/gns3-server: disable SystemD hardening --- .../services/networking/gns3-server.nix | 33 ++----------------- 1 file changed, 2 insertions(+), 31 deletions(-) diff --git a/nixos/modules/services/networking/gns3-server.nix b/nixos/modules/services/networking/gns3-server.nix index 637d6184bc6f5b3..6863bdee5894c2b 100644 --- a/nixos/modules/services/networking/gns3-server.nix +++ b/nixos/modules/services/networking/gns3-server.nix @@ -210,6 +210,8 @@ in { reloadTriggers = [ configFile ]; + # SystemD sandboxing does not work with GNS3. + # GNS3 needs to run SUID binaries (ubridge), but NoNewPrivileges breaks execution of SUID binaries serviceConfig = { ConfigurationDirectory = "gns3"; ConfigurationDirectoryMode = "0750"; @@ -232,37 +234,6 @@ in { ++ lib.optional cfg.ubridge.enable "ubridge"; User = "gns3"; WorkingDirectory = "%S/gns3"; - - # Hardening - DeviceAllow = lib.optional flags.enableLibvirtd "/dev/kvm"; - DevicePolicy = "closed"; - LockPersonality = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - PrivateTmp = true; - PrivateUsers = true; - # Don't restrict ProcSubset because python3Packages.psutil requires read access to /proc/stat - # ProcSubset = "pid"; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProtectProc = "invisible"; - ProtectSystem = "strict"; - RestrictAddressFamilies = [ - "AF_INET" - "AF_INET6" - "AF_NETLINK" - "AF_UNIX" - "AF_PACKET" - ]; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - UMask = "0077"; }; }; };