AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
nixos-config/patches/postfix-93305.patch
Dmitriy Kholkin 4edefd3f19 update
2023-01-26 00:36:27 +03:00

266 lines
12 KiB
Diff
Raw Blame History

From 769237466abb4614cf203c3d5b9adafe49451a26 Mon Sep 17 00:00:00 2001
From: Izorkin <izorkin@elven.pw>
Date: Sat, 28 Dec 2019 12:51:41 +0300
Subject: [PATCH 1/4] nixos/postfix: enable sandboxing
---
nixos/modules/services/mail/postfix.nix | 73 ++++++++++++++++---------
1 file changed, 47 insertions(+), 26 deletions(-)
diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix
index ad10ba1d9090d..a499f83971d8c 100644
--- a/nixos/modules/services/mail/postfix.nix
+++ b/nixos/modules/services/mail/postfix.nix
@@ -705,6 +705,34 @@ in
{ ${setgidGroup}.gid = config.ids.gids.postdrop;
};
+ systemd.tmpfiles.rules = [
+ "d '/var/lib/postfix' 0755 postfix postfix - -"
+ "d '/var/lib/postfix/conf' 0755 postfix postfix - -"
+ "d '/var/lib/postfix/data' 0750 postfix postfix - -"
+ "d '/var/lib/postfix/queue' 0755 postfix postfix - -"
+ "d '/var/lib/postfix/queue/active' 0700 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/bounce' 0700 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/corrupt' 0700 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/defer' 0700 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/deferred' 0700 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/flush' 0700 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/hold' 0700 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/incoming' 0700 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/maildrop' 0730 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/pid' 0755 postfix postfix - -"
+ "d '/var/lib/postfix/queue/private' 0700 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/public' 0710 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/saved' 0700 postfix postdrop - -"
+ "d '/var/lib/postfix/queue/trace' 0700 postfix postdrop - -"
+ "d '/var/spool/mail' 1777 root root - -"
+ "Z '/var/lib/postfix' - postfix postfix - -"
+ "Z '/var/lib/postfix/queue/maildrop' - postfix postdrop - -"
+ "Z '/var/lib/postfix/queue/public' - postfix postdrop - -"
+ "L+ '/var/mail' - - - - /var/spool/mail"
+ "L+ '/var/lib/postfix/conf/main.cf' - - - - ${mainCfFile}"
+ "L+ '/var/lib/postfix/conf/master.cf' - - - - ${masterCfFile}"
+ ];
+
systemd.services.postfix =
{ description = "Postfix mail server";
@@ -719,43 +747,36 @@ in
ExecStart = "${pkgs.postfix}/bin/postfix start";
ExecStop = "${pkgs.postfix}/bin/postfix stop";
ExecReload = "${pkgs.postfix}/bin/postfix reload";
+ # Capabilities
+ CapabilityBoundingSet = [ "CAP_DAC_OVERRIDE" "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ];
+ # Security
+ NoNewPrivileges = true;
+ # Sandboxing
+ ProtectSystem = "full";
+ ProtectHome = true;
+ PrivateTmp = true;
+ PrivateDevices = true;
+ ProtectHostname = true;
+ ProtectKernelTunables = true;
+ ProtectKernelModules = true;
+ ProtectControlGroups = true;
+ LockPersonality = true;
+ MemoryDenyWriteExecute = true;
+ RestrictRealtime = true;
+ PrivateMounts = true;
};
preStart = ''
- # Backwards compatibility
- if [ ! -d /var/lib/postfix ] && [ -d /var/postfix ]; then
- mkdir -p /var/lib
- mv /var/postfix /var/lib/postfix
- fi
-
- # All permissions set according ${pkgs.postfix}/etc/postfix/postfix-files script
- mkdir -p /var/lib/postfix /var/lib/postfix/queue/{pid,public,maildrop}
- chmod 0755 /var/lib/postfix
- chown root:root /var/lib/postfix
-
- rm -rf /var/lib/postfix/conf
- mkdir -p /var/lib/postfix/conf
- chmod 0755 /var/lib/postfix/conf
- ln -sf ${pkgs.postfix}/etc/postfix/postfix-files /var/lib/postfix/conf/postfix-files
- ln -sf ${mainCfFile} /var/lib/postfix/conf/main.cf
- ln -sf ${masterCfFile} /var/lib/postfix/conf/master.cf
-
${concatStringsSep "\n" (mapAttrsToList (to: from: ''
+ test -f '/var/lib/postfix/conf/${to}' || rm -f '/var/lib/postfix/conf/${to}'
ln -sf ${from} /var/lib/postfix/conf/${to}
${pkgs.postfix}/bin/postalias /var/lib/postfix/conf/${to}
'') cfg.aliasFiles)}
${concatStringsSep "\n" (mapAttrsToList (to: from: ''
+ test -f '/var/lib/postfix/conf/${to}' || rm -f '/var/lib/postfix/conf/${to}'
ln -sf ${from} /var/lib/postfix/conf/${to}
${pkgs.postfix}/bin/postmap /var/lib/postfix/conf/${to}
'') cfg.mapFiles)}
-
- mkdir -p /var/spool/mail
- chown root:root /var/spool/mail
- chmod a+rwxt /var/spool/mail
- ln -sf /var/spool/mail /var/
-
- #Finally delegate to postfix checking remain directories in /var/lib/postfix and set permissions on them
- ${pkgs.postfix}/bin/postfix set-permissions config_directory=/var/lib/postfix/conf
'';
};
From a4f4dd228823316959786e7fdaf137f6ca09c4ba Mon Sep 17 00:00:00 2001
From: Philipp Bartsch <phil@grmr.de>
Date: Sat, 18 Jul 2020 01:22:53 +0200
Subject: [PATCH 2/4] nixos/postfix: more sandboxing
---
nixos/modules/services/mail/postfix.nix | 65 +++++++++++++++----------
1 file changed, 40 insertions(+), 25 deletions(-)
diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix
index a499f83971d8c..b9b9836813ddd 100644
--- a/nixos/modules/services/mail/postfix.nix
+++ b/nixos/modules/services/mail/postfix.nix
@@ -9,6 +9,25 @@ let
group = cfg.group;
setgidGroup = cfg.setgidGroup;
+ preStartScript = pkgs.writeScript "pre-start-script" ''
+ #!${pkgs.stdenv.shell}
+ set -euo pipefail
+
+ ${concatStringsSep "\n" (mapAttrsToList (to: from: ''
+ test -f '/var/lib/postfix/conf/${to}' || rm -f '/var/lib/postfix/conf/${to}'
+ ln -sf ${from} /var/lib/postfix/conf/${to}
+ ${pkgs.postfix}/bin/postalias /var/lib/postfix/conf/${to}
+ '') cfg.aliasFiles)}
+ ${concatStringsSep "\n" (mapAttrsToList (to: from: ''
+ test -f '/var/lib/postfix/conf/${to}' || rm -f '/var/lib/postfix/conf/${to}'
+ ln -sf ${from} /var/lib/postfix/conf/${to}
+ ${pkgs.postfix}/bin/postmap /var/lib/postfix/conf/${to}
+ '') cfg.mapFiles)}
+
+ # Finally delegate to postfix checking remain directories in /var/lib/postfix and set permissions on them
+ ${pkgs.postfix}/bin/postfix set-permissions config_directory=/var/lib/postfix/conf
+ '';
+
haveAliases = cfg.postmasterAlias != "" || cfg.rootAlias != ""
|| cfg.extraAliases != "";
haveTransport = cfg.transport != "";
@@ -747,37 +766,33 @@ in
ExecStart = "${pkgs.postfix}/bin/postfix start";
ExecStop = "${pkgs.postfix}/bin/postfix stop";
ExecReload = "${pkgs.postfix}/bin/postfix reload";
- # Capabilities
- CapabilityBoundingSet = [ "CAP_DAC_OVERRIDE" "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ];
- # Security
+ ExecStartPre = "+${preStartScript}";
+
+ ReadWritePaths = [ "/var/lib/postfix" "/var/spool/mail" ];
+
+ CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID";
+ DevicePolicy = "closed";
+ LockPersonality = true;
+ MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
- # Sandboxing
- ProtectSystem = "full";
- ProtectHome = true;
- PrivateTmp = true;
PrivateDevices = true;
+ PrivateMounts = true;
+ PrivateTmp = true;
+ ProtectClock = true;
+ ProtectControlGroups = true;
ProtectHostname = true;
- ProtectKernelTunables = true;
+ ProtectKernelLogs = true;
ProtectKernelModules = true;
- ProtectControlGroups = true;
- LockPersonality = true;
- MemoryDenyWriteExecute = true;
+ ProtectKernelTunables = true;
+ ProtectSystem = "full";
+ RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK AF_UNIX";
+ RestrictNamespaces = true;
RestrictRealtime = true;
- PrivateMounts = true;
+ RestrictSUIDSGID = true;
+ SystemCallArchitectures = "native";
+ SystemCallFilter = [ "@system-service" "~@resources" ];
+ UMask = "0077";
};
-
- preStart = ''
- ${concatStringsSep "\n" (mapAttrsToList (to: from: ''
- test -f '/var/lib/postfix/conf/${to}' || rm -f '/var/lib/postfix/conf/${to}'
- ln -sf ${from} /var/lib/postfix/conf/${to}
- ${pkgs.postfix}/bin/postalias /var/lib/postfix/conf/${to}
- '') cfg.aliasFiles)}
- ${concatStringsSep "\n" (mapAttrsToList (to: from: ''
- test -f '/var/lib/postfix/conf/${to}' || rm -f '/var/lib/postfix/conf/${to}'
- ln -sf ${from} /var/lib/postfix/conf/${to}
- ${pkgs.postfix}/bin/postmap /var/lib/postfix/conf/${to}
- '') cfg.mapFiles)}
- '';
};
services.postfix.config = (mapAttrs (_: v: mkDefault v) {
From 0bf216e6268bccfabda21e9a9444934fe651db6a Mon Sep 17 00:00:00 2001
From: Philipp Bartsch <phil@grmr.de>
Date: Sun, 19 Jul 2020 14:25:24 +0200
Subject: [PATCH 3/4] nixos/postfix: fixup cosmetics
---
nixos/modules/services/mail/postfix.nix | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix
index b9b9836813ddd..f039b2b6832ff 100644
--- a/nixos/modules/services/mail/postfix.nix
+++ b/nixos/modules/services/mail/postfix.nix
@@ -770,7 +770,7 @@ in
ReadWritePaths = [ "/var/lib/postfix" "/var/spool/mail" ];
- CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID";
+ CapabilityBoundingSet = [ "CAP_DAC_READ_SEARCH" "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ];
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
@@ -785,7 +785,7 @@ in
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "full";
- RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK AF_UNIX";
+ RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" "AF_UNIX" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
From 7b285fb877a7463fb769e8f57d0679eb7f0de8c0 Mon Sep 17 00:00:00 2001
From: Philipp Bartsch <phil@grmr.de>
Date: Tue, 21 Jul 2020 22:31:24 +0200
Subject: [PATCH 4/4] nixos/postfix: fix permission issue
---
nixos/modules/services/mail/postfix.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix
index f039b2b6832ff..3cd3b170e2f68 100644
--- a/nixos/modules/services/mail/postfix.nix
+++ b/nixos/modules/services/mail/postfix.nix
@@ -770,7 +770,7 @@ in
ReadWritePaths = [ "/var/lib/postfix" "/var/spool/mail" ];
- CapabilityBoundingSet = [ "CAP_DAC_READ_SEARCH" "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ];
+ CapabilityBoundingSet = [ "CAP_DAC_OVERRIDE" "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ];
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
Reference in New Issue View Git Blame Copy Permalink