mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-12-06 04:23:14 +00:00
24adc01e2e
Since v2021.5.0 home-assistant uses the ifaddr library in the zeroconf
component to enumerate network interfaces via netlink. Since discovery
is all over the place lets allow AF_NETLINK unconditionally.
It also relies on pyroute2 now, which additionally tries to access files
in /proc/net, so we relax ProtectProc a bit by default as well.
This leaves us with these options unsecured:
✗ PrivateNetwork= Service has access to the host's network 0.5
✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3
✗ DeviceAllow= Service has a device ACL with some special devices 0.1
✗ IPAddressDeny= Service does not define an IP address allow list 0.2
✗ PrivateDevices= Service potentially has access to hardware devices 0.2
✗ PrivateUsers= Service has access to other users 0.2
✗ SystemCallFilter=~@resources System call allow list defined for service, and @resources is included (e.g. ioprio_set is allowed) 0.2
✗ RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets 0.1
✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1
✗ SupplementaryGroups= Service runs with supplementary groups 0.1
✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1
✗ ProcSubset= Service has full access to non-process /proc files (/proc subset=) 0.1
→ Overall exposure level for home-assistant.service: 1.6 OK 🙂
|
||
|---|---|---|
| .. | ||
| admin | ||
| amqp | ||
| audio | ||
| backup | ||
| blockchain/ethereum | ||
| cluster | ||
| computing | ||
| continuous-integration | ||
| databases | ||
| desktops | ||
| development | ||
| display-managers | ||
| editors | ||
| games | ||
| hardware | ||
| logging | ||
| misc | ||
| monitoring | ||
| network-filesystems | ||
| networking | ||
| printing | ||
| scheduling | ||
| search | ||
| security | ||
| system | ||
| torrent | ||
| ttys | ||
| video | ||
| wayland | ||
| web-apps | ||
| web-servers | ||
| x11 | ||