nixos/zipline: improve systemd hardening (#387119)

Author: SuperSandro2000

nixos/modules/services/web-apps/zipline.nix

@@ -107,9 +107,11 @@ in
         ExecStart = lib.getExe cfg.package;
 
         # Hardening
+        AmbientCapabilities = "";
         CapabilityBoundingSet = [ "" ];
-        DeviceAllow = [ "" ];
+        DevicePolicy = "closed";
         LockPersonality = true;
+        NoNewPrivileges = true;
         PrivateDevices = true;
         PrivateTmp = true;
         PrivateUsers = true;
@@ -123,15 +125,18 @@ in
         ProtectKernelTunables = true;
         ProtectProc = "invisible";
         ProtectSystem = "strict";
-        RestrictAddressFamilies = [
-          "AF_INET"
-          "AF_INET6"
-          "AF_UNIX"
-        ];
+        RemoveIPC = true;
+        RestrictAddressFamilies = [ "AF_INET AF_INET6 AF_UNIX AF_NETLINK" ];
         RestrictNamespaces = true;
         RestrictRealtime = true;
         RestrictSUIDSGID = true;
         SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged"
+          "~@resources"
+        ];
+        UMask = "0077";
       };
     };
   };

nixos/tests/zipline.nix

@@ -1,4 +1,5 @@
 { lib, ... }:
+
 {
   name = "zipline";
   meta.maintainers = with lib.maintainers; [ defelo ];
@@ -20,6 +21,18 @@
     networking.hosts."127.0.0.1" = [ "zipline.local" ];
   };
 
+  interactive.nodes.machine = {
+    services.zipline.settings.CORE_HOSTNAME = lib.mkForce "0.0.0.0";
+    networking.firewall.allowedTCPPorts = [ 8000 ];
+    virtualisation.forwardPorts = [
+      {
+        from = "host";
+        host.port = 8000;
+        guest.port = 8000;
+      }
+    ];
+  };
+
   testScript = ''
     import json
     import re