nixos/github-runner: systemd service hardening
This commit is contained in:
parent
baedfc4da9
commit
334b30c464
3 changed files with 23 additions and 0 deletions
|
@ -978,6 +978,15 @@
|
||||||
<literal>true</literal>.
|
<literal>true</literal>.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
<literal>services.github-runner</literal> has been hardened.
|
||||||
|
Notably address families and system calls have been
|
||||||
|
restricted, which may adversely affect some kinds of testing,
|
||||||
|
e.g. using <literal>AF_BLUETOOTH</literal> to test bluetooth
|
||||||
|
devices.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>
|
<para>
|
||||||
The terraform 0.12 compatibility has been removed and the
|
The terraform 0.12 compatibility has been removed and the
|
||||||
|
|
|
@ -357,6 +357,10 @@ In addition to numerous new and upgraded packages, this release has the followin
|
||||||
|
|
||||||
- The Tor SOCKS proxy is now actually disabled if `services.tor.client.enable` is set to `false` (the default). If you are using this functionality but didn't change the setting or set it to `false`, you now need to set it to `true`.
|
- The Tor SOCKS proxy is now actually disabled if `services.tor.client.enable` is set to `false` (the default). If you are using this functionality but didn't change the setting or set it to `false`, you now need to set it to `true`.
|
||||||
|
|
||||||
|
- `services.github-runner` has been hardened. Notably address families and
|
||||||
|
system calls have been restricted, which may adversely affect some kinds of
|
||||||
|
testing, e.g. using `AF_BLUETOOTH` to test bluetooth devices.
|
||||||
|
|
||||||
- The terraform 0.12 compatibility has been removed and the `terraform.withPlugins` and `terraform-providers.mkProvider` implementations simplified. Providers now need to be stored under
|
- The terraform 0.12 compatibility has been removed and the `terraform.withPlugins` and `terraform-providers.mkProvider` implementations simplified. Providers now need to be stored under
|
||||||
`$out/libexec/terraform-providers/<registry>/<owner>/<name>/<version>/<os>_<arch>/terraform-provider-<name>_v<version>` (which mkProvider does).
|
`$out/libexec/terraform-providers/<registry>/<owner>/<name>/<version>/<os>_<arch>/terraform-provider-<name>_v<version>` (which mkProvider does).
|
||||||
|
|
||||||
|
|
|
@ -299,6 +299,16 @@ in
|
||||||
RestrictRealtime = true;
|
RestrictRealtime = true;
|
||||||
RestrictSUIDSGID = true;
|
RestrictSUIDSGID = true;
|
||||||
UMask = "0066";
|
UMask = "0066";
|
||||||
|
ProtectProc = "invisible";
|
||||||
|
ProcSubset = "pid";
|
||||||
|
SystemCallFilter = [
|
||||||
|
"~@debug"
|
||||||
|
"~@mount"
|
||||||
|
"~@privileged"
|
||||||
|
"~@cpu-emulation"
|
||||||
|
"~@obsolete"
|
||||||
|
];
|
||||||
|
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ];
|
||||||
|
|
||||||
# Needs network access
|
# Needs network access
|
||||||
PrivateNetwork = false;
|
PrivateNetwork = false;
|
||||||
|
|
Loading…
Reference in a new issue