Merge pull request #120536 from mweinelt/mosquitto

2021-05-03 00:41:21 +02:00 · 2021-05-03 00:41:21 +02:00 · d67fc76603
commit d67fc76603
parent fb5b00d2eb a2d1d16af8
2 changed files with 44 additions and 7 deletions
--- a/nixos/modules/services/networking/mosquitto.nix
+++ b/nixos/modules/services/networking/mosquitto.nix
@ -20,8 +20,7 @@ let
    acl_file ${aclFile}
    persistence true
    allow_anonymous ${boolToString cfg.allowAnonymous}
-    bind_address ${cfg.host}
-    port ${toString cfg.port}
+    listener ${toString cfg.port} ${cfg.host}
    ${passwordConf}
    ${listenerConf}
    ${cfg.extraConf}
@ -233,15 +232,50 @@ in
        ExecStart = "${pkgs.mosquitto}/bin/mosquitto -c ${mosquittoConf}";
        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";

-        ProtectSystem = "strict";
-        ProtectHome = true;
+        # Hardening
+        CapabilityBoundingSet = "";
+        DevicePolicy = "closed";
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
        PrivateDevices = true;
        PrivateTmp = true;
-        ReadWritePaths = "${cfg.dataDir}";
+        PrivateUsers = true;
+        ProtectClock = true;
        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
-        NoNewPrivileges = true;
+        ProtectProc = "invisible";
+        ProcSubset = "pid";
+        ProtectSystem = "strict";
+        ReadWritePaths = [
+          cfg.dataDir
+          "/tmp"  # mosquitto_passwd creates files in /tmp before moving them
+        ];
+        ReadOnlyPaths = with cfg.ssl; lib.optionals (enable) [
+          certfile
+          keyfile
+          cafile
+        ];
+        RemoveIPC = true;
+        RestrictAddressFamilies = [
+          "AF_UNIX"  # for sd_notify() call
+          "AF_INET"
+          "AF_INET6"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged"
+          "~@resources"
+        ];
+        UMask = "0077";
      };
      preStart = ''
        rm -f ${cfg.dataDir}/passwd
--- a/nixos/tests/mosquitto.nix
+++ b/nixos/tests/mosquitto.nix
@ -1,4 +1,4 @@
-import ./make-test-python.nix ({ pkgs, ... }:
+import ./make-test-python.nix ({ pkgs, lib, ... }:

 let
  port = 1888;
@ -30,6 +30,9 @@ in {
          ];
        };
      };
+
+      # disable private /tmp for this test
+      systemd.services.mosquitto.serviceConfig.PrivateTmp = lib.mkForce false;
    };

    client1 = client;