From 769237466abb4614cf203c3d5b9adafe49451a26 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Sat, 28 Dec 2019 12:51:41 +0300 Subject: [PATCH 1/4] nixos/postfix: enable sandboxing --- nixos/modules/services/mail/postfix.nix | 73 ++++++++++++++++--------- 1 file changed, 47 insertions(+), 26 deletions(-) diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index ad10ba1d9090d..a499f83971d8c 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -705,6 +705,34 @@ in { ${setgidGroup}.gid = config.ids.gids.postdrop; }; + systemd.tmpfiles.rules = [ + "d '/var/lib/postfix' 0755 postfix postfix - -" + "d '/var/lib/postfix/conf' 0755 postfix postfix - -" + "d '/var/lib/postfix/data' 0750 postfix postfix - -" + "d '/var/lib/postfix/queue' 0755 postfix postfix - -" + "d '/var/lib/postfix/queue/active' 0700 postfix postdrop - -" + "d '/var/lib/postfix/queue/bounce' 0700 postfix postdrop - -" + "d '/var/lib/postfix/queue/corrupt' 0700 postfix postdrop - -" + "d '/var/lib/postfix/queue/defer' 0700 postfix postdrop - -" + "d '/var/lib/postfix/queue/deferred' 0700 postfix postdrop - -" + "d '/var/lib/postfix/queue/flush' 0700 postfix postdrop - -" + "d '/var/lib/postfix/queue/hold' 0700 postfix postdrop - -" + "d '/var/lib/postfix/queue/incoming' 0700 postfix postdrop - -" + "d '/var/lib/postfix/queue/maildrop' 0730 postfix postdrop - -" + "d '/var/lib/postfix/queue/pid' 0755 postfix postfix - -" + "d '/var/lib/postfix/queue/private' 0700 postfix postdrop - -" + "d '/var/lib/postfix/queue/public' 0710 postfix postdrop - -" + "d '/var/lib/postfix/queue/saved' 0700 postfix postdrop - -" + "d '/var/lib/postfix/queue/trace' 0700 postfix postdrop - -" + "d '/var/spool/mail' 1777 root root - -" + "Z '/var/lib/postfix' - postfix postfix - -" + "Z '/var/lib/postfix/queue/maildrop' - postfix postdrop - -" + "Z '/var/lib/postfix/queue/public' - postfix postdrop - -" + "L+ '/var/mail' - - - - /var/spool/mail" + "L+ '/var/lib/postfix/conf/main.cf' - - - - ${mainCfFile}" + "L+ '/var/lib/postfix/conf/master.cf' - - - - ${masterCfFile}" + ]; + systemd.services.postfix = { description = "Postfix mail server"; @@ -719,43 +747,36 @@ in ExecStart = "${pkgs.postfix}/bin/postfix start"; ExecStop = "${pkgs.postfix}/bin/postfix stop"; ExecReload = "${pkgs.postfix}/bin/postfix reload"; + # Capabilities + CapabilityBoundingSet = [ "CAP_DAC_OVERRIDE" "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ]; + # Security + NoNewPrivileges = true; + # Sandboxing + ProtectSystem = "full"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + PrivateMounts = true; }; preStart = '' - # Backwards compatibility - if [ ! -d /var/lib/postfix ] && [ -d /var/postfix ]; then - mkdir -p /var/lib - mv /var/postfix /var/lib/postfix - fi - - # All permissions set according ${pkgs.postfix}/etc/postfix/postfix-files script - mkdir -p /var/lib/postfix /var/lib/postfix/queue/{pid,public,maildrop} - chmod 0755 /var/lib/postfix - chown root:root /var/lib/postfix - - rm -rf /var/lib/postfix/conf - mkdir -p /var/lib/postfix/conf - chmod 0755 /var/lib/postfix/conf - ln -sf ${pkgs.postfix}/etc/postfix/postfix-files /var/lib/postfix/conf/postfix-files - ln -sf ${mainCfFile} /var/lib/postfix/conf/main.cf - ln -sf ${masterCfFile} /var/lib/postfix/conf/master.cf - ${concatStringsSep "\n" (mapAttrsToList (to: from: '' + test -f '/var/lib/postfix/conf/${to}' || rm -f '/var/lib/postfix/conf/${to}' ln -sf ${from} /var/lib/postfix/conf/${to} ${pkgs.postfix}/bin/postalias /var/lib/postfix/conf/${to} '') cfg.aliasFiles)} ${concatStringsSep "\n" (mapAttrsToList (to: from: '' + test -f '/var/lib/postfix/conf/${to}' || rm -f '/var/lib/postfix/conf/${to}' ln -sf ${from} /var/lib/postfix/conf/${to} ${pkgs.postfix}/bin/postmap /var/lib/postfix/conf/${to} '') cfg.mapFiles)} - - mkdir -p /var/spool/mail - chown root:root /var/spool/mail - chmod a+rwxt /var/spool/mail - ln -sf /var/spool/mail /var/ - - #Finally delegate to postfix checking remain directories in /var/lib/postfix and set permissions on them - ${pkgs.postfix}/bin/postfix set-permissions config_directory=/var/lib/postfix/conf ''; }; From a4f4dd228823316959786e7fdaf137f6ca09c4ba Mon Sep 17 00:00:00 2001 From: Philipp Bartsch Date: Sat, 18 Jul 2020 01:22:53 +0200 Subject: [PATCH 2/4] nixos/postfix: more sandboxing --- nixos/modules/services/mail/postfix.nix | 65 +++++++++++++++---------- 1 file changed, 40 insertions(+), 25 deletions(-) diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index a499f83971d8c..b9b9836813ddd 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -9,6 +9,25 @@ let group = cfg.group; setgidGroup = cfg.setgidGroup; + preStartScript = pkgs.writeScript "pre-start-script" '' + #!${pkgs.stdenv.shell} + set -euo pipefail + + ${concatStringsSep "\n" (mapAttrsToList (to: from: '' + test -f '/var/lib/postfix/conf/${to}' || rm -f '/var/lib/postfix/conf/${to}' + ln -sf ${from} /var/lib/postfix/conf/${to} + ${pkgs.postfix}/bin/postalias /var/lib/postfix/conf/${to} + '') cfg.aliasFiles)} + ${concatStringsSep "\n" (mapAttrsToList (to: from: '' + test -f '/var/lib/postfix/conf/${to}' || rm -f '/var/lib/postfix/conf/${to}' + ln -sf ${from} /var/lib/postfix/conf/${to} + ${pkgs.postfix}/bin/postmap /var/lib/postfix/conf/${to} + '') cfg.mapFiles)} + + # Finally delegate to postfix checking remain directories in /var/lib/postfix and set permissions on them + ${pkgs.postfix}/bin/postfix set-permissions config_directory=/var/lib/postfix/conf + ''; + haveAliases = cfg.postmasterAlias != "" || cfg.rootAlias != "" || cfg.extraAliases != ""; haveTransport = cfg.transport != ""; @@ -747,37 +766,33 @@ in ExecStart = "${pkgs.postfix}/bin/postfix start"; ExecStop = "${pkgs.postfix}/bin/postfix stop"; ExecReload = "${pkgs.postfix}/bin/postfix reload"; - # Capabilities - CapabilityBoundingSet = [ "CAP_DAC_OVERRIDE" "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ]; - # Security + ExecStartPre = "+${preStartScript}"; + + ReadWritePaths = [ "/var/lib/postfix" "/var/spool/mail" ]; + + CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID"; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; NoNewPrivileges = true; - # Sandboxing - ProtectSystem = "full"; - ProtectHome = true; - PrivateTmp = true; PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; ProtectHostname = true; - ProtectKernelTunables = true; + ProtectKernelLogs = true; ProtectKernelModules = true; - ProtectControlGroups = true; - LockPersonality = true; - MemoryDenyWriteExecute = true; + ProtectKernelTunables = true; + ProtectSystem = "full"; + RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK AF_UNIX"; + RestrictNamespaces = true; RestrictRealtime = true; - PrivateMounts = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@resources" ]; + UMask = "0077"; }; - - preStart = '' - ${concatStringsSep "\n" (mapAttrsToList (to: from: '' - test -f '/var/lib/postfix/conf/${to}' || rm -f '/var/lib/postfix/conf/${to}' - ln -sf ${from} /var/lib/postfix/conf/${to} - ${pkgs.postfix}/bin/postalias /var/lib/postfix/conf/${to} - '') cfg.aliasFiles)} - ${concatStringsSep "\n" (mapAttrsToList (to: from: '' - test -f '/var/lib/postfix/conf/${to}' || rm -f '/var/lib/postfix/conf/${to}' - ln -sf ${from} /var/lib/postfix/conf/${to} - ${pkgs.postfix}/bin/postmap /var/lib/postfix/conf/${to} - '') cfg.mapFiles)} - ''; }; services.postfix.config = (mapAttrs (_: v: mkDefault v) { From 0bf216e6268bccfabda21e9a9444934fe651db6a Mon Sep 17 00:00:00 2001 From: Philipp Bartsch Date: Sun, 19 Jul 2020 14:25:24 +0200 Subject: [PATCH 3/4] nixos/postfix: fixup cosmetics --- nixos/modules/services/mail/postfix.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index b9b9836813ddd..f039b2b6832ff 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -770,7 +770,7 @@ in ReadWritePaths = [ "/var/lib/postfix" "/var/spool/mail" ]; - CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID"; + CapabilityBoundingSet = [ "CAP_DAC_READ_SEARCH" "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ]; DevicePolicy = "closed"; LockPersonality = true; MemoryDenyWriteExecute = true; @@ -785,7 +785,7 @@ in ProtectKernelModules = true; ProtectKernelTunables = true; ProtectSystem = "full"; - RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK AF_UNIX"; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" "AF_UNIX" ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; From 7b285fb877a7463fb769e8f57d0679eb7f0de8c0 Mon Sep 17 00:00:00 2001 From: Philipp Bartsch Date: Tue, 21 Jul 2020 22:31:24 +0200 Subject: [PATCH 4/4] nixos/postfix: fix permission issue --- nixos/modules/services/mail/postfix.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index f039b2b6832ff..3cd3b170e2f68 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -770,7 +770,7 @@ in ReadWritePaths = [ "/var/lib/postfix" "/var/spool/mail" ]; - CapabilityBoundingSet = [ "CAP_DAC_READ_SEARCH" "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ]; + CapabilityBoundingSet = [ "CAP_DAC_OVERRIDE" "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ]; DevicePolicy = "closed"; LockPersonality = true; MemoryDenyWriteExecute = true;