From 2e76bf06d8940ac6bf5490b81f9cc654b913679c Mon Sep 17 00:00:00 2001 From: Will Dietz Date: Thu, 13 Sep 2018 07:04:54 -0500 Subject: [PATCH 1/3] upower: 0.99.7 -> 0.99.8 (cherry picked from commit 67ac9c649ffc036c49006191c64555eae2e6012f) --- pkgs/os-specific/linux/upower/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/os-specific/linux/upower/default.nix b/pkgs/os-specific/linux/upower/default.nix index 629f61bf5b16..9525c4d9c15c 100644 --- a/pkgs/os-specific/linux/upower/default.nix +++ b/pkgs/os-specific/linux/upower/default.nix @@ -4,11 +4,11 @@ }: stdenv.mkDerivation rec { - name = "upower-0.99.7"; + name = "upower-0.99.8"; src = fetchurl { - url = "https://upower.freedesktop.org/releases/${name}.tar.xz"; - sha256 = "00d4830yvg84brdhz4kn60lr3r8rn2y8gdbhmhxm78i5mgvc5g14"; + url = https://gitlab.freedesktop.org/upower/upower/uploads/9125ab7ee96fdc4ecc68cfefb50c1cab/upower-0.99.8.tar.xz; + sha256 = "00lzr0vyxz5lvmgya48gdb2cdgmfdim4b34jlfdyqakk1i9sl8xv"; }; buildInputs = From b5bac7d8a8c155a7b1fe1f3868fd876125e02086 Mon Sep 17 00:00:00 2001 From: Will Dietz Date: Thu, 25 Oct 2018 13:52:46 -0500 Subject: [PATCH 2/3] upower: 0.99.8 -> 0.99.9 --- pkgs/os-specific/linux/upower/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/os-specific/linux/upower/default.nix b/pkgs/os-specific/linux/upower/default.nix index 9525c4d9c15c..6c6e411000ac 100644 --- a/pkgs/os-specific/linux/upower/default.nix +++ b/pkgs/os-specific/linux/upower/default.nix @@ -4,11 +4,11 @@ }: stdenv.mkDerivation rec { - name = "upower-0.99.8"; + name = "upower-0.99.9"; src = fetchurl { - url = https://gitlab.freedesktop.org/upower/upower/uploads/9125ab7ee96fdc4ecc68cfefb50c1cab/upower-0.99.8.tar.xz; - sha256 = "00lzr0vyxz5lvmgya48gdb2cdgmfdim4b34jlfdyqakk1i9sl8xv"; + url = https://gitlab.freedesktop.org/upower/upower/uploads/2282c7c0e53fb31816b824c9d1f547e8/upower-0.99.9.tar.xz; + sha256 = "046ix7j7hmb7ycv8v54668kjsrgjhzwxn299c1d87vdnkd38kfh1"; }; buildInputs = From d7e4c49ffc4c3879bc2edb287f0758c17b0e00e3 Mon Sep 17 00:00:00 2001 From: Will Dietz Date: Fri, 12 Oct 2018 16:41:53 -0500 Subject: [PATCH 3/3] nixos/upower: lockdown service using upstream settings --- nixos/modules/services/hardware/upower.nix | 26 ++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/nixos/modules/services/hardware/upower.nix b/nixos/modules/services/hardware/upower.nix index 2198842a4511..1da47349c077 100644 --- a/nixos/modules/services/hardware/upower.nix +++ b/nixos/modules/services/hardware/upower.nix @@ -56,6 +56,32 @@ in { Type = "dbus"; BusName = "org.freedesktop.UPower"; ExecStart = "@${cfg.package}/libexec/upowerd upowerd"; + Restart = "on-failure"; + # Upstream lockdown: + # Filesystem lockdown + ProtectSystem = "strict"; + # Needed by keyboard backlight support + ProtectKernelTunables = false; + ProtectControlGroups = true; + ReadWritePaths = "/var/lib/upower"; + ProtectHome = true; + PrivateTmp = true; + + # Network + # PrivateNetwork=true would block udev's netlink socket + RestrictAddressFamilies = "AF_UNIX AF_NETLINK"; + + # Execute Mappings + MemoryDenyWriteExecute = true; + + # Modules + ProtectKernelModules = true; + + # Real-time + RestrictRealtime = true; + + # Privilege escalation + NoNewPrivileges = true; }; };