Merge pull request #49395 from dtzWill/update/upower-0.99.9

upower: 0.99.7 -> 0.99.9, lock down service
2018-10-30 15:57:11 +01:00 · 2018-10-30 15:57:11 +01:00 · 1d9481a127
commit 1d9481a127
parent f68cf486d8 d7e4c49ffc
2 changed files with 29 additions and 3 deletions
--- a/nixos/modules/services/hardware/upower.nix
+++ b/nixos/modules/services/hardware/upower.nix
@ -56,6 +56,32 @@ in
          { Type = "dbus";
            BusName = "org.freedesktop.UPower";
            ExecStart = "@${cfg.package}/libexec/upowerd upowerd";
+            Restart = "on-failure";
+            # Upstream lockdown:
+            # Filesystem lockdown
+            ProtectSystem = "strict";
+            # Needed by keyboard backlight support
+            ProtectKernelTunables = false;
+            ProtectControlGroups = true;
+            ReadWritePaths = "/var/lib/upower";
+            ProtectHome = true;
+            PrivateTmp = true;
+
+            # Network
+            # PrivateNetwork=true would block udev's netlink socket
+            RestrictAddressFamilies = "AF_UNIX AF_NETLINK";
+
+            # Execute Mappings
+            MemoryDenyWriteExecute = true;
+
+            # Modules
+            ProtectKernelModules = true;
+
+            # Real-time
+            RestrictRealtime = true;
+
+            # Privilege escalation
+            NoNewPrivileges = true;
          };
      };

--- a/pkgs/os-specific/linux/upower/default.nix
+++ b/pkgs/os-specific/linux/upower/default.nix
@ -4,11 +4,11 @@
 }:

 stdenv.mkDerivation rec {
-  name = "upower-0.99.7";
+  name = "upower-0.99.9";

  src = fetchurl {
-    url = "https://upower.freedesktop.org/releases/${name}.tar.xz";
-    sha256 = "00d4830yvg84brdhz4kn60lr3r8rn2y8gdbhmhxm78i5mgvc5g14";
+    url = https://gitlab.freedesktop.org/upower/upower/uploads/2282c7c0e53fb31816b824c9d1f547e8/upower-0.99.9.tar.xz;
+    sha256 = "046ix7j7hmb7ycv8v54668kjsrgjhzwxn299c1d87vdnkd38kfh1";
  };

  buildInputs =