From ad161944605a00dbf036dee4eea10eab8a286121 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Wed, 23 Feb 2022 07:00:33 +0100
Subject: [PATCH] nixos/bird: improve systemd hardening / capability set

aligned with https://github.com/archlinux/svntogit-packages/blob/packages/bird/trunk/bird.service#L20-L21
---
 nixos/modules/services/networking/bird.nix | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/nixos/modules/services/networking/bird.nix b/nixos/modules/services/networking/bird.nix
index 54c75906742b..4a5192424819 100644
--- a/nixos/modules/services/networking/bird.nix
+++ b/nixos/modules/services/networking/bird.nix
@@ -72,23 +72,27 @@ in
       serviceConfig = {
         Type = "forking";
         Restart = "on-failure";
+        # We need to start as root so bird can open netlink sockets i.e. for ospf
         ExecStart = "${pkgs.bird}/bin/bird -c /etc/bird/bird2.conf -u bird2 -g bird2";
         ExecReload = "/bin/sh -c '${pkgs.bird}/bin/bird -c /etc/bird/bird2.conf -p && ${pkgs.bird}/bin/birdc configure'";
         ExecStop = "${pkgs.bird}/bin/birdc down";
+        RuntimeDirectory = "bird";
         CapabilityBoundingSet = [
           "CAP_CHOWN"
           "CAP_FOWNER"
-          "CAP_DAC_OVERRIDE"
           "CAP_SETUID"
           "CAP_SETGID"
-          # see bird/sysdep/linux/syspriv.h
-          "CAP_NET_BIND_SERVICE"
-          "CAP_NET_BROADCAST"
           "CAP_NET_ADMIN"
+          "CAP_NET_BROADCAST"
+          "CAP_NET_BIND_SERVICE"
           "CAP_NET_RAW"
         ];
         ProtectSystem = "full";
         ProtectHome = "yes";
+        ProtectKernelTunables = true;
+        ProtectControlGroups = true;
+        PrivateTmp = true;
+        PrivateDevices = true;
         SystemCallFilter = "~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io";
         MemoryDenyWriteExecute = "yes";
       };