Skip to content

Comments

nixos/go2rtc: harden systemd service#490641

Open
ronnychevalier wants to merge 1 commit intoNixOS:masterfrom
ronnychevalier:nixos-go2rtc-hardening
Open

nixos/go2rtc: harden systemd service#490641
ronnychevalier wants to merge 1 commit intoNixOS:masterfrom
ronnychevalier:nixos-go2rtc-hardening

Conversation

@ronnychevalier
Copy link
Contributor

@ronnychevalier ronnychevalier commented Feb 15, 2026

To follow the principle of least privilege, let's
remove privileges it does not require by configuring systemd service settings.

See #377827

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 9.needs: reviewer This PR currently has no reviewers requested and needs attention. 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Feb 15, 2026
JamieMagee
JamieMagee reviewed Feb 21, 2026
View reviewed changes
nixos/modules/services/video/go2rtc/default.nix Outdated
Comment on lines 117 to 121
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
];
Copy link
Member

@JamieMagee JamieMagee Feb 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AF_UNIX should be in this list. go2rtc has a unix_listen option for its API

Copy link
Contributor Author

@ronnychevalier ronnychevalier Feb 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch, I did not know unix_listen existed, I might use it now, thanks!

I will add something like ++ lib.optionals (cfg.settings.api.unix_listen != "") ["AF_UNIX"].

Copy link
Contributor Author

@ronnychevalier ronnychevalier Feb 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

JamieMagee
JamieMagee reviewed Feb 21, 2026
View reviewed changes
nixos/modules/services/video/go2rtc/default.nix
ProtectProc = "invisible";
ProcSubset = "pid";
ProtectSystem = "strict";
UMask = "0077";
Copy link
Member

@JamieMagee JamieMagee Feb 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Worth considering DevicePolicy = "closed" here? Something like:

DevicePolicy = "closed";
DeviceAllow = [
  "/dev/video*"
  "/dev/dri/*"
];

Copy link
Contributor Author

@ronnychevalier ronnychevalier Feb 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought about this, but I preferred to submit a conservative set of sandboxing settings that minimized the probability of breaking someone setup. I would prefer to submit (or someone else) a follow-up PR for this.

@nixpkgs-ci nixpkgs-ci bot added 12.approvals: 1 This PR was reviewed and approved by one person. and removed 9.needs: reviewer This PR currently has no reviewers requested and needs attention. labels Feb 21, 2026
@ronnychevalier
nixos/go2rtc: harden systemd service
438eb12 
To follow the principle of least privilege, let's
remove privileges it does not require by configuring
systemd service settings.

See NixOS#377827
@ronnychevalier ronnychevalier changed the title nixos/go2rtc: harden system service nixos/go2rtc: harden systemd service Feb 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@JamieMagee JamieMagee JamieMagee approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 12.approvals: 1 This PR was reviewed and approved by one person.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ronnychevalier @JamieMagee