1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-01-22 14:45:27 +00:00

Merge pull request #127127 from mweinelt/home-assistant

nixos/home-assistant: update hardening
This commit is contained in:
Martin Weinelt 2021-06-18 20:15:05 +02:00 committed by GitHub
commit af664bf942
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 54 additions and 4 deletions

View file

@ -268,6 +268,52 @@ in {
"CAP_NET_BIND_SERVICE" "CAP_NET_BIND_SERVICE"
"CAP_NET_RAW" "CAP_NET_RAW"
])); ]));
componentsUsingBluetooth = [
# Components that require the AF_BLUETOOTH address family
"bluetooth_tracker"
"bluetooth_le_tracker"
];
componentsUsingSerialDevices = [
# Components that require access to serial devices (/dev/tty*)
# List generated from home-assistant documentation:
# git clone https://github.com/home-assistant/home-assistant.io/
# cd source/_integrations
# rg "/dev/tty" -l | cut -d'/' -f3 | cut -d'.' -f1 | sort
# And then extended by references found in the source code, these
# mostly the ones using config flows already.
"acer_projector"
"alarmdecoder"
"arduino"
"blackbird"
"dsmr"
"edl21"
"elkm1"
"elv"
"enocean"
"firmata"
"flexit"
"gpsd"
"insteon"
"kwb"
"lacrosse"
"mhz19"
"modbus"
"modem_callerid"
"mysensors"
"nad"
"numato"
"rflink"
"rfxtrx"
"scsgate"
"serial"
"serial_pm"
"sms"
"upb"
"velbus"
"w800rf32"
"xbee"
"zha"
];
in { in {
ExecStart = "${package}/bin/hass --runner --config '${cfg.configDir}'"; ExecStart = "${package}/bin/hass --runner --config '${cfg.configDir}'";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
@ -281,11 +327,11 @@ in {
# Hardening # Hardening
AmbientCapabilities = capabilities; AmbientCapabilities = capabilities;
CapabilityBoundingSet = capabilities; CapabilityBoundingSet = capabilities;
DeviceAllow = [ DeviceAllow = (optionals (any useComponent componentsUsingSerialDevices) [
"char-ttyACM rw" "char-ttyACM rw"
"char-ttyAMA rw" "char-ttyAMA rw"
"char-ttyUSB rw" "char-ttyUSB rw"
]; ]);
DevicePolicy = "closed"; DevicePolicy = "closed";
LockPersonality = true; LockPersonality = true;
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
@ -314,13 +360,15 @@ in {
"AF_INET6" "AF_INET6"
"AF_NETLINK" "AF_NETLINK"
"AF_UNIX" "AF_UNIX"
] ++ optionals (useComponent "bluetooth_tracker" || useComponent "bluetooth_le_tracker") [ ] ++ optionals (any useComponent componentsUsingBluetooth) [
"AF_BLUETOOTH" "AF_BLUETOOTH"
]; ];
RestrictNamespaces = true; RestrictNamespaces = true;
RestrictRealtime = true; RestrictRealtime = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
SupplementaryGroups = [ "dialout" ]; SupplementaryGroups = optionals (any useComponent componentsUsingSerialDevices) [
"dialout"
];
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallFilter = [ SystemCallFilter = [
"@system-service" "@system-service"

View file

@ -45,6 +45,7 @@ in {
payload_on = "let_there_be_light"; payload_on = "let_there_be_light";
payload_off = "off"; payload_off = "off";
}]; }];
# tests component-based capability assignment (CAP_NET_BIND_SERVICE)
emulated_hue = { emulated_hue = {
host_ip = "127.0.0.1"; host_ip = "127.0.0.1";
listen_port = 80; listen_port = 80;
@ -100,6 +101,7 @@ in {
assert "let_there_be_light" in output_log assert "let_there_be_light" in output_log
with subtest("Check systemd unit hardening"): with subtest("Check systemd unit hardening"):
hass.log(hass.succeed("systemctl show home-assistant.service"))
hass.log(hass.succeed("systemd-analyze security home-assistant.service")) hass.log(hass.succeed("systemd-analyze security home-assistant.service"))
''; '';
}) })