Loading nixos/modules/services/networking/tayga.nix +3 −8 Original line number Diff line number Diff line Loading @@ -167,7 +167,7 @@ in networking.interfaces."${cfg.tunDevice}" = { virtual = true; virtualType = "tun"; virtualOwner = mkIf config.networking.useNetworkd ""; virtualOwner = null; ipv4 = { addresses = [ { Loading Loading @@ -205,9 +205,7 @@ in ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID"; Restart = "always"; # Hardening Score: # - nixos-scripts: 2.1 # - systemd-networkd: 1.6 # Hardening Score: 1.5 ProtectHome = true; SystemCallFilter = [ "@network-io" Loading @@ -216,9 +214,6 @@ in "~@resources" ]; ProtectKernelLogs = true; AmbientCapabilities = [ "CAP_NET_ADMIN" ]; CapabilityBoundingSet = ""; RestrictAddressFamilies = [ "AF_INET" Loading @@ -226,7 +221,7 @@ in "AF_NETLINK" ]; StateDirectory = "tayga"; DynamicUser = mkIf config.networking.useNetworkd true; DynamicUser = true; MemoryDenyWriteExecute = true; RestrictRealtime = true; RestrictSUIDSGID = true; Loading nixos/modules/tasks/network-interfaces-scripted.nix +3 −1 Original line number Diff line number Diff line Loading @@ -322,7 +322,9 @@ let RemainAfterExit = true; }; script = '' ip tuntap add dev "${i.name}" mode "${i.virtualType}" user "${i.virtualOwner}" ip tuntap add dev "${i.name}" mode "${i.virtualType}" ${ lib.optionalString (i.virtualOwner != null) ''user "${i.virtualOwner}"'' } ''; postStop = '' ip link del dev ${i.name} || true Loading nixos/modules/tasks/network-interfaces.nix +2 −1 Original line number Diff line number Diff line Loading @@ -348,9 +348,10 @@ let virtualOwner = mkOption { default = "root"; type = types.str; type = types.nullOr types.str; description = '' In case of a virtual device, the user who owns it. `null` will not set owner, allowing access to any user. ''; }; Loading nixos/tests/networking/networkd-and-scripted.nix +7 −1 Original line number Diff line number Diff line Loading @@ -1053,6 +1053,7 @@ let } ]; virtual = true; virtualOwner = null; mtu = 1342; macAddress = "02:de:ad:be:ef:01"; }; Loading @@ -1070,13 +1071,14 @@ let } ]; virtual = true; virtualOwner = "root"; mtu = 1343; }; }; testScript = '' targetList = """ tap0: tap persist user 0 tap0: tap persist tun0: tun persist user 0 """.strip() Loading @@ -1101,6 +1103,10 @@ let machine.wait_until_succeeds("ip link show dev tap0 | grep 'mtu 1342'") machine.wait_until_succeeds("ip link show dev tun0 | grep 'mtu 1343'") assert "02:de:ad:be:ef:01" in machine.succeed("ip link show dev tap0") with subtest("Test virtualOwner are configured"): for interface, expected_owner in [("tap0", "-1"), ("tun0", "0")]: actual_owner = machine.succeed(f"cat /sys/class/net/{interface}/owner").strip() assert expected_owner == actual_owner, f"{interface} owner: expect {expected_owner}, got {actual_owner}" '' # network-addresses-* only exist in scripted networking + lib.optionalString (!networkd) '' with subtest("Test interfaces' addresses clean up"): Loading Loading
nixos/modules/services/networking/tayga.nix +3 −8 Original line number Diff line number Diff line Loading @@ -167,7 +167,7 @@ in networking.interfaces."${cfg.tunDevice}" = { virtual = true; virtualType = "tun"; virtualOwner = mkIf config.networking.useNetworkd ""; virtualOwner = null; ipv4 = { addresses = [ { Loading Loading @@ -205,9 +205,7 @@ in ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID"; Restart = "always"; # Hardening Score: # - nixos-scripts: 2.1 # - systemd-networkd: 1.6 # Hardening Score: 1.5 ProtectHome = true; SystemCallFilter = [ "@network-io" Loading @@ -216,9 +214,6 @@ in "~@resources" ]; ProtectKernelLogs = true; AmbientCapabilities = [ "CAP_NET_ADMIN" ]; CapabilityBoundingSet = ""; RestrictAddressFamilies = [ "AF_INET" Loading @@ -226,7 +221,7 @@ in "AF_NETLINK" ]; StateDirectory = "tayga"; DynamicUser = mkIf config.networking.useNetworkd true; DynamicUser = true; MemoryDenyWriteExecute = true; RestrictRealtime = true; RestrictSUIDSGID = true; Loading
nixos/modules/tasks/network-interfaces-scripted.nix +3 −1 Original line number Diff line number Diff line Loading @@ -322,7 +322,9 @@ let RemainAfterExit = true; }; script = '' ip tuntap add dev "${i.name}" mode "${i.virtualType}" user "${i.virtualOwner}" ip tuntap add dev "${i.name}" mode "${i.virtualType}" ${ lib.optionalString (i.virtualOwner != null) ''user "${i.virtualOwner}"'' } ''; postStop = '' ip link del dev ${i.name} || true Loading
nixos/modules/tasks/network-interfaces.nix +2 −1 Original line number Diff line number Diff line Loading @@ -348,9 +348,10 @@ let virtualOwner = mkOption { default = "root"; type = types.str; type = types.nullOr types.str; description = '' In case of a virtual device, the user who owns it. `null` will not set owner, allowing access to any user. ''; }; Loading
nixos/tests/networking/networkd-and-scripted.nix +7 −1 Original line number Diff line number Diff line Loading @@ -1053,6 +1053,7 @@ let } ]; virtual = true; virtualOwner = null; mtu = 1342; macAddress = "02:de:ad:be:ef:01"; }; Loading @@ -1070,13 +1071,14 @@ let } ]; virtual = true; virtualOwner = "root"; mtu = 1343; }; }; testScript = '' targetList = """ tap0: tap persist user 0 tap0: tap persist tun0: tun persist user 0 """.strip() Loading @@ -1101,6 +1103,10 @@ let machine.wait_until_succeeds("ip link show dev tap0 | grep 'mtu 1342'") machine.wait_until_succeeds("ip link show dev tun0 | grep 'mtu 1343'") assert "02:de:ad:be:ef:01" in machine.succeed("ip link show dev tap0") with subtest("Test virtualOwner are configured"): for interface, expected_owner in [("tap0", "-1"), ("tun0", "0")]: actual_owner = machine.succeed(f"cat /sys/class/net/{interface}/owner").strip() assert expected_owner == actual_owner, f"{interface} owner: expect {expected_owner}, got {actual_owner}" '' # network-addresses-* only exist in scripted networking + lib.optionalString (!networkd) '' with subtest("Test interfaces' addresses clean up"): Loading
