fix(zackbiene): fix esphome hardening to allow socket creation, fix hostapd config syntax

2023-03-16 03:36:53 +01:00 · 2023-03-16 03:36:53 +01:00 · 711c97b393
commit 711c97b393
parent fc8b59178b
5 changed files with 92 additions and 63 deletions
--- a/hosts/zackbiene/esphome.nix
+++ b/hosts/zackbiene/esphome.nix
@ -23,7 +23,7 @@ in {
      CapabilityBoundingSet = "";
      DevicePolicy = "closed";
      LockPersonality = true;
-      MemoryDenyWriteExecute = false;
+      MemoryDenyWriteExecute = false; # NodeJs-JIT :/
      NoNewPrivileges = true;
      PrivateDevices = true;
      PrivateUsers = true;
@ -40,17 +40,12 @@ in {
      ProtectSystem = "strict";
      ReadWritePaths = dataDir;
      RemoveIPC = true;
-      RestrictAddressFamilies = [
-        "AF_UNIX"
-      ];
+      RestrictAddressFamilies = ["AF_UNIX" "AF_NETLINK" "AF_INET" "AF_INET6"];
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      SystemCallArchitectures = "native";
-      SystemCallFilter = [
-        "@system-service @pkey"
-        "~@privileged @resources"
-      ];
+      SystemCallFilter = ["@system-service" "~@privileged"];
      UMask = "0077";
    };
  };
--- a/hosts/zackbiene/hostapd.nix
+++ b/hosts/zackbiene/hostapd.nix
@ -18,67 +18,94 @@

    # This is made for a Mediatek mt7612u based device (ALFA AWUS036ACM)
    extraConfig = ''
-         utf8_ssid=1
-         # Enable QoS, required for 802.11n/ac/ax
-         wmm_enabled=1
+      utf8_ssid=1
+      # Enable QoS, required for 802.11n/ac/ax
+      wmm_enabled=1

-         # DFS (IEEE 802.11d, IEEE 802.11h)
-         # Limit to frequencies allowed in country
-         ieee80211d=1
-         # Ensure TX Power and frequencies compliance with local regulatory requirements
-         ieee80211h=1
+      # DFS (IEEE 802.11d, IEEE 802.11h)
+      # Limit to frequencies allowed in country
+      ieee80211d=1
+      # Ensure TX Power and frequencies compliance with local regulatory requirements
+      ieee80211h=1

-         # IEEE 802.11ac (WiFi 4)
-         # MIMO and channel bonding support
-         ieee80211n=1
-         # Add wider channel-width support and MU-MIMO (multi user MIMO)
+      # IEEE 802.11ac (WiFi 4)
+      # MIMO and channel bonding support
+      ieee80211n=1
+      # Add wider channel-width support and MU-MIMO (multi user MIMO)

-         # IEEE 802.11ac (WiFi 5)
-         ieee80211ac=1
-         ht_capab=[HT40+][HT40-][GF][SHORT-GI-20][SHORT-GI-40]
+      # IEEE 802.11ac (WiFi 5)
+      ieee80211ac=1
+      ht_capab=[HT40+][HT40-][GF][SHORT-GI-20][SHORT-GI-40]
      vht_capab=[RXLDPC][SHORT-GI-80][TX-STBC-2BY1][RX-STBC-1][MAX-A-MPDU-LEN-EXP3][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN]
      vht_oper_chwidth=1

-         # WPA3
+      # WPA3
      wpa=2
-         wpa_pairwise=CCMP CCMP-256
-         rsn_pairwise=CCMP CCMP-256
-         wpa_key_mgmt=SAE
-         # Require WPA, disable WEP
-         auth_algs=1
-         # Encrypt management frames to protect against deauthentication and similar attacks
-         ieee80211w=2
-         # Force WPA3-Personal without transition
+      wpa_pairwise=CCMP CCMP-256
+      rsn_pairwise=CCMP CCMP-256
+      wpa_key_mgmt=SAE
+      # Require WPA, disable WEP
+      auth_algs=1
+      # Encrypt management frames to protect against deauthentication and similar attacks
+      ieee80211w=2
+      # Force WPA3-Personal without transition
      transition_disable=0x01
-         # Derive PWE using both hunting-and-pecking loop and hash-to-element
-         sae_pwe=2
-         # SAE can also use wpa_psk, which allows us to use a separate file,
+      # Derive PWE using both hunting-and-pecking loop and hash-to-element
+      sae_pwe=2
+      # SAE can also use wpa_psk, which allows us to use a separate file,
      # but it restricts the password length to [2,63] which is ok.
      # This conatins a list of passwords for each client MAC.
-         wpa_psk=${config.rekey.secrets.wifi-stations.path}
+      wpa_psk_file=${config.rekey.secrets.wifi-clients.path}

-         # Use a MAC-address access control list
-         macaddr_acl=1
-         accept_mac_file=/run/hostapd/client-macs
+      # Use a MAC-address access control list
+      macaddr_acl=1
+      accept_mac_file=/run/hostapd/client-macs

-         # Hide network and require devices to know the ssid in advance
-         ignore_broadcast_ssid=1
-         # Don't allow stations to communicate with each other
-         ap_isolate=1
+      # Hide network and require devices to know the ssid in advance
+      ignore_broadcast_ssid=1
+      # Don't allow clients to communicate with each other
+      ap_isolate=1
    '';
  };

  # Associates each known client to a unique password
-  rekey.secrets.wifi-stations = {
-    file = ./secrets/wifi-stations.age;
-    owner = "hostapd";
-  };
-
+  rekey.secrets.wifi-clients.file = ./secrets/wifi-clients.age;
  systemd.services.hostapd = {
-    # Filter the stations to get a list of all known MAC addresses,
+    # Filter the clients to get a list of all known MAC addresses,
    # which we then use for MAC access control.
    preStart = lib.mkBefore ''
-      grep -o '^..:..:..:..:..:..' ${config.rekey.secrets.wifi-stations.path} > /run/hostapd/client-macs
+      grep -o '^..:..:..:..:..:..' ${config.rekey.secrets.wifi-clients.path} > /run/hostapd/client-macs
    '';
+    # Add some missing options to the upstream config
+    serviceConfig = {
+      ExecReload = "/bin/kill -HUP $MAINPID";
+      RuntimeDirectory = "hostapd";
+
+      # Hardening
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      PrivateDevices = false; # Needs /dev/rfkill
+      PrivateUsers = true;
+      PrivateTmp = true;
+      ProtectClock = true;
+      ProtectControlGroups = false; # Needs write-access to /sys/class/net/...
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = false;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      ProtectSystem = "strict";
+      RemoveIPC = true;
+      RestrictAddressFamilies = ["AF_UNIX" "AF_NETLINK" "AF_INET" "AF_INET6"];
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = ["@system-service" "~@privileged" "@chown"];
+      UMask = "0077";
+    };
  };
 }
--- a/hosts/zackbiene/secrets/wifi-clients.age
+++ b/hosts/zackbiene/secrets/wifi-clients.age
@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 hassPBEEk/UBxKCHkOhG+xCVBRqjLzzIzx+YNxMI1XY
+yUPfWO27Ou9Kr/9+9H/QCx/s8z+xaqBknozANAUuRAY
+-> piv-p256 xqSe8Q A+Mah3ymwlgxCgF/hqioFnV4dLIs7gIlCi+5Y9hGThUy
+/1ILkEDSDzuP1TNm0eAGExBAGP6GvryPwkYN/44stZI
+-> yazz-grease 4O
+ELmoh/Qew+/mdgIaGxnpR9eTPGHvAEO8Y22uH/tlpwBmlVMZNHa91PQ/dksjMKA8
+7hYCLWcfWtEEF4gVUnCOokyYm3XAZyQ9Lauiw2n4JTvYSKJhmAquXW8Jmto
+--- 6650BuMK5X5Z56QmkfgIZdbB6cg8+l2GG05XDZkgK4Q
+揵鎧恑蒔e�3�8P牫��!荗u3抮*	羹5嚹{礅潑錭K菱鯰磉B1欸�m&#`襽7佫挚亼 O
--- a/hosts/zackbiene/secrets/wifi-stations.age
+++ b/hosts/zackbiene/secrets/wifi-stations.age
@ -1,9 +0,0 @@
-age-encryption.org/v1
-> X25519 2ysSXvNBkZGUL0kP0IGg9z/FDClzt7Zk60S5OxJvcXQ
-VkEGZ/Dap1F0iyQCarSRhPSmftWoiI/sQvLM3Gw1/xA
-> piv-p256 xqSe8Q A1wl54gEsL4r8bnGogruc1/9+2e8YjRfvgYcow+UjdSl
-6Yv9O8D0bq1EaK41WXme02Pu3BGCpHIr6D3igGnHSAE
-> Bwz)--grease wa,. Empc cCS[Rb"L
-LnHSEKMfcX3o5znCuYuJQb11c3B0Lb+gN0tjng7Iz/Q
--- eh8DL3+e9zxS1T4Zv1YezTAzbQdrNDwmbTRdFO0cqzQ
-ÒéðÎ�4Ëç.‘¦B÷'»OlA„Sg‚¤C'ó+¥z9ÏØãi}¥,õD'~“ŒûƒœlÈê–¼\O·‰V¯|‡Xu ä9
--- a/modules/core/default.nix
+++ b/modules/core/default.nix
@ -57,10 +57,16 @@ in {
  };

  # Rename known network interfaces
-  services.udev.extraRules = lib.concatStringsSep "\n" (lib.mapAttrsToList (
-      interface: attrs: ''SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="${attrs.mac}", NAME="${interface}"''
-    )
-    nodeSecrets.networking.interfaces);
+  services.udev.packages = let
+    interfaceNamesUdevRules = pkgs.writeTextFile {
+      name = "interface-names-udev-rules";
+      text = lib.concatStringsSep "\n" (lib.mapAttrsToList (
+          interface: attrs: ''SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="${attrs.mac}", NAME:="${interface}"''
+        )
+        nodeSecrets.networking.interfaces);
+      destination = "/etc/udev/rules.d/01-interface-names.rules";
+    };
+  in [interfaceNamesUdevRules];

  nix.nixPath = [
    "nixos-config=${dummyConfig}"