Merge pull request 'actions-runner: apply systemd hardening' (#5) from test into main

Reviewed-on: #5
2023-07-13 12:46:06 +00:00 · 2023-07-13 12:46:06 +00:00 · 4bd83a8f11
commit 4bd83a8f11
parent b34dafa8eb a5ac121a1f
2 changed files with 74 additions and 16 deletions
--- a/modules/web01/gitea/actions-runner.nix
+++ b/modules/web01/gitea/actions-runner.nix
@ -26,18 +26,75 @@
  systemd.services.gitea-runner-nix = {
    after = [ "gitea-runner-nix-token.service" ];
    requires = [ "gitea-runner-nix-token.service" ];
+
    # TODO: systemd confinment
-    #serviceConfig = {
-    #  Environment = [
-    #    "NIX_REMOTE=daemon"
-    #    "PAGER=cat"
-    #  ];
-    #  BindPaths = [
-    #    "/nix/var/nix/daemon-socket/socket"
-    #    "/run/nscd/socket"
-    #    "/var/lib/drone"
-    #  ];
-    #};
+    serviceConfig = {
+      # Hardening (may overlap with DynamicUser=)
+      # The following options are only for optimizing output of systemd-analyze
+      AmbientCapabilities = "";
+      CapabilityBoundingSet = "";
+      # ProtectClock= adds DeviceAllow=char-rtc r
+      DeviceAllow = "";
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      PrivateMounts = true;
+      PrivateTmp = true;
+      PrivateUsers = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectSystem = "strict";
+      RemoveIPC = true;
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      UMask = "0066";
+      ProtectProc = "invisible";
+      SystemCallFilter = [
+        "~@clock"
+        "~@cpu-emulation"
+        "~@module"
+        "~@mount"
+        "~@obsolete"
+        "~@raw-io"
+        "~@reboot"
+        "~capset"
+        "~setdomainname"
+        "~sethostname"
+      ];
+      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ];
+
+      # Needs network access
+      PrivateNetwork = false;
+      # Cannot be true due to Node
+      MemoryDenyWriteExecute = false;
+
+      # The more restrictive "pid" option makes `nix` commands in CI emit
+      # "GC Warning: Couldn't read /proc/stat"
+      # You may want to set this to "pid" if not using `nix` commands
+      ProcSubset = "all";
+      # Coverage programs for compiled code such as `cargo-tarpaulin` disable
+      # ASLR (address space layout randomization) which requires the
+      # `personality` syscall
+      # You may want to set this to `true` if not using coverage tooling on
+      # compiled code
+      LockPersonality = false;
+
+      # Note that this has some interactions with the User setting; so you may
+      # want to consult the systemd docs if using both.
+      DynamicUser = true;
+      #  Environment = [
+      #  ];
+      #  BindPaths = [
+      #    "/nix/var/nix/daemon-socket/socket"
+      #    "/run/nscd/socket"
+      #    "/var/lib/drone"
+      #  ];
+    };
  };

  services.gitea-actions-runner.instances.nix = {
@ -71,6 +128,7 @@
        HOME = "/var/lib/gitea-runner/nix";
        # unset the token so it doesn't leak into the runner
        TOKEN = "";
+        PAGER = "cat";
      };
    };
  };
--- a/targets/web01/terraform.tfstate
+++ b/targets/web01/terraform.tfstate