Commit 0f599d1e authored by Felix Singer's avatar Felix Singer
Browse files

nixos/redmine: Apply initial hardening using the systemd unit 



These options are a good start for sandboxing the service. It's planned
to set `ProtectSystem` to `strict` instead of `full`, but that requires
specific directories to be configured as writable. It's also planned to
filter system calls. However, that requires more testing but it
shouldn't prevent us from applying these options for now and add others
later.

In my tests, Redmine only bound to an IPv4 address and Unix socket,
which is why I restricted the address families to these both.

The command `systemd-analyze security redmine.service` reports an
overall exposure level of 2.9 with this patch.

Signed-off-by: default avatarFelix Singer <felixsinger@posteo.net>
parent f0ce0e71

nixos/modules/services/misc/redmine.nix

+24 −0
Original line number Diff line number Diff line
@@ -436,6 +436,30 @@ in 
        TimeoutSec = "300";

        WorkingDirectory = "${cfg.package}/share/redmine";

        ExecStart="${bundle} exec rails server -u webrick -e production -b ${toString cfg.address} -p ${toString cfg.port} -P '${cfg.stateDir}/redmine.pid'";

        AmbientCapabilities = "";

        CapabilityBoundingSet = "";

        LockPersonality = true;

        MemoryDenyWriteExecute = true;

        NoNewPrivileges = true;

        PrivateDevices = true;

        PrivateTmp = true;

        ProcSubset = "pid";

        ProtectClock = true;

        ProtectControlGroups = true;

        ProtectHome = true;

        ProtectHostname = true;

        ProtectKernelLogs = true;

        ProtectKernelModules = true;

        ProtectKernelTunables = true;

        ProtectProc = "noaccess";

        ProtectSystem = "full";

        RemoveIPC = true;

        RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" ];

        RestrictNamespaces = true;

        RestrictRealtime = true;

        RestrictSUIDSGID = true;

        SystemCallArchitectures = "native";

        UMask = 027;

      };



    };