diff --git a/nixos/modules/services/mail/rspamd.nix b/nixos/modules/services/mail/rspamd.nix index a6c19a2af73e..2f9d28195bd8 100644 --- a/nixos/modules/services/mail/rspamd.nix +++ b/nixos/modules/services/mail/rspamd.nix @@ -371,6 +371,9 @@ in }; services.postfix.config = mkIf cfg.postfix.enable cfg.postfix.config; + systemd.services.postfix.serviceConfig.SupplementaryGroups = + mkIf cfg.postfix.enable [ postfixCfg.group ]; + # Allow users to run 'rspamc' and 'rspamadm'. environment.systemPackages = [ pkgs.rspamd ]; @@ -394,16 +397,45 @@ in restartTriggers = [ rspamdDir ]; serviceConfig = { - ExecStart = "${pkgs.rspamd}/bin/rspamd ${optionalString cfg.debug "-d"} --user=${cfg.user} --group=${cfg.group} --pid=/run/rspamd.pid -c /etc/rspamd/rspamd.conf -f"; + ExecStart = "${pkgs.rspamd}/bin/rspamd ${optionalString cfg.debug "-d"} -c /etc/rspamd/rspamd.conf -f"; Restart = "always"; - RuntimeDirectory = "rspamd"; - PrivateTmp = true; - }; - preStart = '' - ${pkgs.coreutils}/bin/mkdir -p /var/lib/rspamd - ${pkgs.coreutils}/bin/chown ${cfg.user}:${cfg.group} /var/lib/rspamd - ''; + User = "${cfg.user}"; + Group = "${cfg.group}"; + SupplementaryGroups = mkIf cfg.postfix.enable [ postfixCfg.group ]; + + RuntimeDirectory = "rspamd"; + RuntimeDirectoryMode = "0755"; + StateDirectory = "rspamd"; + StateDirectoryMode = "0700"; + + AmbientCapabilities = []; + CapabilityBoundingSet = []; + DevicePolicy = "closed"; + LockPersonality = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + # we need to chown socket to rspamd-milter + PrivateUsers = !cfg.postfix.enable; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; + UMask = "0077"; + }; }; }; imports = [ diff --git a/nixos/tests/rspamd.nix b/nixos/tests/rspamd.nix index 6eaa02ef4291..7f41e1a79566 100644 --- a/nixos/tests/rspamd.nix +++ b/nixos/tests/rspamd.nix @@ -13,10 +13,12 @@ let machine.succeed("id rspamd >/dev/null") ''; checkSocket = socket: user: group: mode: '' - machine.succeed("ls ${socket} >/dev/null") - machine.succeed('[[ "$(stat -c %U ${socket})" == "${user}" ]]') - machine.succeed('[[ "$(stat -c %G ${socket})" == "${group}" ]]') - machine.succeed('[[ "$(stat -c %a ${socket})" == "${mode}" ]]') + machine.succeed( + "ls ${socket} >/dev/null", + '[[ "$(stat -c %U ${socket})" == "${user}" ]]', + '[[ "$(stat -c %G ${socket})" == "${group}" ]]', + '[[ "$(stat -c %a ${socket})" == "${mode}" ]]', + ) ''; simple = name: enableIPv6: makeTest { name = "rspamd-${name}"; @@ -54,33 +56,35 @@ in services.rspamd = { enable = true; workers.normal.bindSockets = [{ - socket = "/run/rspamd.sock"; + socket = "/run/rspamd/rspamd.sock"; mode = "0600"; - owner = "root"; - group = "root"; + owner = "rspamd"; + group = "rspamd"; }]; workers.controller.bindSockets = [{ - socket = "/run/rspamd-worker.sock"; + socket = "/run/rspamd/rspamd-worker.sock"; mode = "0666"; - owner = "root"; - group = "root"; + owner = "rspamd"; + group = "rspamd"; }]; }; }; testScript = '' ${initMachine} - machine.wait_for_file("/run/rspamd.sock") - ${checkSocket "/run/rspamd.sock" "root" "root" "600" } - ${checkSocket "/run/rspamd-worker.sock" "root" "root" "666" } + machine.wait_for_file("/run/rspamd/rspamd.sock") + ${checkSocket "/run/rspamd/rspamd.sock" "rspamd" "rspamd" "600" } + ${checkSocket "/run/rspamd/rspamd-worker.sock" "rspamd" "rspamd" "666" } machine.log(machine.succeed("cat /etc/rspamd/rspamd.conf")) machine.log( machine.succeed("grep 'CONFDIR/worker-controller.inc' /etc/rspamd/rspamd.conf") ) machine.log(machine.succeed("grep 'CONFDIR/worker-normal.inc' /etc/rspamd/rspamd.conf")) - machine.log(machine.succeed("rspamc -h /run/rspamd-worker.sock stat")) + machine.log(machine.succeed("rspamc -h /run/rspamd/rspamd-worker.sock stat")) machine.log( - machine.succeed("curl --unix-socket /run/rspamd-worker.sock http://localhost/ping") + machine.succeed( + "curl --unix-socket /run/rspamd/rspamd-worker.sock http://localhost/ping" + ) ) ''; }; @@ -91,16 +95,16 @@ in services.rspamd = { enable = true; workers.normal.bindSockets = [{ - socket = "/run/rspamd.sock"; + socket = "/run/rspamd/rspamd.sock"; mode = "0600"; - owner = "root"; - group = "root"; + owner = "rspamd"; + group = "rspamd"; }]; workers.controller.bindSockets = [{ - socket = "/run/rspamd-worker.sock"; + socket = "/run/rspamd/rspamd-worker.sock"; mode = "0666"; - owner = "root"; - group = "root"; + owner = "rspamd"; + group = "rspamd"; }]; workers.controller2 = { type = "controller"; @@ -116,9 +120,9 @@ in testScript = '' ${initMachine} - machine.wait_for_file("/run/rspamd.sock") - ${checkSocket "/run/rspamd.sock" "root" "root" "600" } - ${checkSocket "/run/rspamd-worker.sock" "root" "root" "666" } + machine.wait_for_file("/run/rspamd/rspamd.sock") + ${checkSocket "/run/rspamd/rspamd.sock" "rspamd" "rspamd" "600" } + ${checkSocket "/run/rspamd/rspamd-worker.sock" "rspamd" "rspamd" "666" } machine.log(machine.succeed("cat /etc/rspamd/rspamd.conf")) machine.log( machine.succeed("grep 'CONFDIR/worker-controller.inc' /etc/rspamd/rspamd.conf") @@ -137,9 +141,11 @@ in machine.wait_until_succeeds( "journalctl -u rspamd | grep -i 'starting controller process' >&2" ) - machine.log(machine.succeed("rspamc -h /run/rspamd-worker.sock stat")) + machine.log(machine.succeed("rspamc -h /run/rspamd/rspamd-worker.sock stat")) machine.log( - machine.succeed("curl --unix-socket /run/rspamd-worker.sock http://localhost/ping") + machine.succeed( + "curl --unix-socket /run/rspamd/rspamd-worker.sock http://localhost/ping" + ) ) machine.log(machine.succeed("curl http://localhost:11335/ping")) '';