Skip to content

Commit

Permalink
nixos/kmonad: add new option enableHardening (#370437)
Browse files Browse the repository at this point in the history
  • Loading branch information
@jian-lin
jian-lin authored Jan 5, 2025
2 parents 81874bf + 37e6624 commit debb218
Show file tree
Hide file tree
Showing 2 changed files with 70 additions and 20 deletions.
3 changes: 3 additions & 0 deletions nixos/doc/manual/release-notes/rl-2505.section.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,9 @@
to review the new defaults and description of
[](#opt-services.nextcloud.poolSettings).

- `kmonad` is now hardened by default using common `systemd` settings.
If KMonad is used to execute shell commands, hardening may make some of them fail. In that case, you can disable hardening using {option}`services.kmonad.keyboards.<name>.enableHardening` option.

- `asusd` has been upgraded to version 6 which supports multiple aura devices. To account for this, the single `auraConfig` configuration option has been replaced with `auraConfigs` which is an attribute set of config options per each device. The config files may also be now specified as either source files or text strings; to account for this you will need to specify that `text` is used for your existing configs, e.g.:
```diff
-services.asusd.asusdConfig = '''file contents'''
Expand Down
87 changes: 67 additions & 20 deletions nixos/modules/services/hardware/kmonad.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,19 @@ let
'';
};

enableHardening = lib.mkOption {
type = lib.types.bool;
default = true;
example = false;
description = ''
Whether to enable systemd hardening.
::: {.note}
If KMonad is used to execute shell commands, hardening may make some of them fail.
:::
'';
};

defcfg = {
enable = lib.mkEnableOption ''
automatic generation of the defcfg block.
Expand Down Expand Up @@ -128,26 +141,60 @@ let
StartLimitIntervalSec = 2;
StartLimitBurst = 5;
};
serviceConfig = {
ExecStart = ''
${lib.getExe cfg.package} ${mkCfg keyboard} \
${utils.escapeSystemdExecArgs cfg.extraArgs}
'';
Restart = "always";
# Restart at increasing intervals from 2s to 1m
RestartSec = 2;
RestartSteps = 30;
RestartMaxDelaySec = "1min";
Nice = -20;
DynamicUser = true;
User = "kmonad";
Group = "kmonad";
SupplementaryGroups = [
# These ensure that our dynamic user has access to the device node
config.users.groups.input.name
config.users.groups.uinput.name
] ++ keyboard.extraGroups;
};
serviceConfig =
{
ExecStart = ''
${lib.getExe cfg.package} ${mkCfg keyboard} \
${utils.escapeSystemdExecArgs cfg.extraArgs}
'';
Restart = "always";
# Restart at increasing intervals from 2s to 1m
RestartSec = 2;
RestartSteps = 30;
RestartMaxDelaySec = "1min";
Nice = -20;
DynamicUser = true;
User = "kmonad";
Group = "kmonad";
SupplementaryGroups = [
# These ensure that our dynamic user has access to the device node
config.users.groups.input.name
config.users.groups.uinput.name
] ++ keyboard.extraGroups;
}
// lib.optionalAttrs keyboard.enableHardening {
DeviceAllow = [
"/dev/uinput w"
"char-input r"
];
CapabilityBoundingSet = [ "" ];
DevicePolicy = "closed";
IPAddressDeny = [ "any" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
PrivateNetwork = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RestrictAddressFamilies = [ "none" ];
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = [ "native" ];
SystemCallErrorNumber = "EPERM";
SystemCallFilter = [
"@system-service"
"~@privileged"
"~@resources"
];
UMask = "0077";
};
# make sure the new config is used after nixos-rebuild switch
# stopIfChanged controls[0] how a service is "restarted" during
# nixos-rebuild switch. By default, stopIfChanged is true, which stops
Expand Down

0 comments on commit debb218

Please sign in to comment.