nixos/logrotate: harden systemd unit (#339050)

mweinelt · web-flow · commit 9b9ca77050e3 · 2024-09-23T17:49:29.000+02:00
diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md
@@ -199,6 +199,8 @@
 
 - The `MSMTP_QUEUE` and `MSMTP_LOG` environment variables accepted by `msmtpq` have now been renamed to `MSMTPQ_Q` and `MSMTPQ_LOG` respectively.
 
+- The logrotate service has received hardening and now requires enabling `allowNetworking`, if logrotate needs to access the network.
+
 - The fcgiwrap module now allows multiple instances running as distinct users.
   The option `services.fgciwrap` now takes an attribute set of the
   configuration of each individual instance.
diff --git a/nixos/modules/services/logging/logrotate.nix b/nixos/modules/services/logging/logrotate.nix
@@ -97,6 +97,8 @@ in
         defaultText = lib.literalExpression "cfg.settings != {}";
       };
 
+      allowNetworking = lib.mkEnableOption "network access for logrotate";
+
       settings = lib.mkOption {
         default = { };
         description = ''
@@ -240,12 +242,55 @@ in
   config = lib.mkIf cfg.enable {
     systemd.services.logrotate = {
       description = "Logrotate Service";
+      documentation = [
+        "man:logrotate(8)"
+        "man:logrotate(5)"
+      ];
       startAt = "hourly";
 
       serviceConfig = {
-        Restart = "no";
-        User = "root";
-        ExecStart = "${pkgs.logrotate}/sbin/logrotate ${utils.escapeSystemdExecArgs cfg.extraArgs} ${mailOption} ${cfg.configFile}";
+        Type = "oneshot";
+        ExecStart = "${lib.getExe pkgs.logrotate} ${utils.escapeSystemdExecArgs cfg.extraArgs} ${mailOption} ${cfg.configFile}";
+
+        # performance
+        Nice = 19;
+        IOSchedulingClass = "best-effort";
+        IOSchedulingPriority = 7;
+
+        # hardening
+        CapabilityBoundingSet = [
+          "CAP_CHOWN"
+          "CAP_SETGID"
+        ];
+        DevicePolicy = "closed";
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "full";
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged @resources"
+          "@chown"
+        ];
+        UMask = "0027";
+      } // lib.optionalAttrs (!cfg.allowNetworking) {
+        PrivateNetwork = true;
+        RestrictAddressFamilies = "none";
       };
     };
     systemd.services.logrotate-checkconf = {
diff --git a/nixos/tests/logrotate.nix b/nixos/tests/logrotate.nix
@@ -127,5 +127,7 @@ import ./make-test-python.nix ({ pkgs, ... }: rec {
           if info["ActiveState"] != "failed":
               raise Exception('logrotate-checkconf.service was not failed')
 
+      machine.log(machine.execute("systemd-analyze security logrotate.service | grep -v ✓")[1])
+
     '';
 })
