From 85b3448e6a1967e2f49bc85f2559b3393f33361d Mon Sep 17 00:00:00 2001 From: nyanloutre Date: Wed, 1 May 2019 21:56:58 +0200 Subject: [PATCH] nixos/factorio: sandbox service using systemd - DynamicUser enabled instead of static uid/gid - Enables most sandboxing options systemd offers --- nixos/modules/misc/ids.nix | 4 +-- nixos/modules/services/games/factorio.nix | 44 +++++++++++------------ 2 files changed, 23 insertions(+), 25 deletions(-) diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 5198bedc1387..5b7fa5d2b98f 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -265,7 +265,7 @@ syncthing = 237; caddy = 239; taskd = 240; - factorio = 241; + # factorio = 241; # DynamicUser = true # emby = 242; # unusued, removed 2019-05-01 graylog = 243; sniproxy = 244; @@ -567,7 +567,7 @@ syncthing = 237; caddy = 239; taskd = 240; - factorio = 241; + # factorio = 241; # unused # emby = 242; # unused, removed 2019-05-01 sniproxy = 244; nzbget = 245; diff --git a/nixos/modules/services/games/factorio.nix b/nixos/modules/services/games/factorio.nix index 3f6bf9de8931..d04673a6c8b8 100644 --- a/nixos/modules/services/games/factorio.nix +++ b/nixos/modules/services/games/factorio.nix @@ -6,7 +6,7 @@ let cfg = config.services.factorio; factorio = pkgs.factorio-headless; name = "Factorio"; - stateDir = cfg.stateDir; + stateDir = "/var/lib/${cfg.stateDirName}"; mkSavePath = name: "${stateDir}/saves/${name}.zip"; configFile = pkgs.writeText "factorio.conf" '' use-system-read-write-data-directories=true @@ -80,11 +80,11 @@ in customizations. ''; }; - stateDir = mkOption { - type = types.path; - default = "/var/lib/factorio"; + stateDirName = mkOption { + type = types.string; + default = "factorio"; description = '' - The server's data directory. + Name of the directory under /var/lib holding the server's data. The configuration and map will be stored here. ''; @@ -176,20 +176,6 @@ in }; config = mkIf cfg.enable { - users = { - users.factorio = { - uid = config.ids.uids.factorio; - description = "Factorio server user"; - group = "factorio"; - home = stateDir; - createHome = true; - }; - - groups.factorio = { - gid = config.ids.gids.factorio; - }; - }; - systemd.services.factorio = { description = "Factorio headless server"; wantedBy = [ "multi-user.target" ]; @@ -205,12 +191,10 @@ in ]; serviceConfig = { - User = "factorio"; - Group = "factorio"; Restart = "always"; KillSignal = "SIGINT"; - WorkingDirectory = stateDir; - PrivateTmp = true; + DynamicUser = true; + StateDirectory = cfg.stateDirName; UMask = "0007"; ExecStart = toString [ "${factorio}/bin/factorio" @@ -220,6 +204,20 @@ in "--server-settings=${serverSettingsFile}" (optionalString (cfg.mods != []) "--mod-directory=${modDir}") ]; + + # Sandboxing + NoNewPrivileges = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectSystem = "strict"; + ProtectHome = true; + ProtectControlGroups = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ]; + RestrictRealtime = true; + RestrictNamespaces = true; + MemoryDenyWriteExecute = true; }; };