From 942ae5409ba888f7e667db5f7f2c2bbcc3ded781 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=81ukasz=20Niemier?= <~@hauleth.dev>
Date: Wed, 24 Dec 2025 21:10:19 +0100
Subject: [PATCH] nix: harden systemd's service

This introduces set of hardening options to systemd's unit to isolate
service more.

Applied restrictions are (among other):

- no capabilities, and these cannot be changed (so calling binary with
  capabilities may cause an issue)
- cannot call SUID/GUID binaries
- restrict view on the OS to minimum
- hide some shared resources (like users or `/tmp`)
- disallow non-UNIX and non-INET(4/6) sockets
- protect kernel settings and logs
- force native syscalls (so for example on x86-64 there is no way to
  call x86 syscalls)
- limit executables to Nix store

These shouldn't be too restrictive for most users.
---
 nix/modules/knot.nix | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/nix/modules/knot.nix b/nix/modules/knot.nix
index 06a6caba..234d7a50 100644
--- a/nix/modules/knot.nix
+++ b/nix/modules/knot.nix
@@ -275,6 +275,49 @@ in
           ];
           ExecStart = "${cfg.package}/bin/knot server";
           Restart = "always";
+
+          # Hardening
+          NoNewPrivileges = true;
+          LockPersonality = true;
+          RemoveIPC = true;
+
+          MemoryDenyWriteExecute = true;
+
+          CapabilityBoundingSet = [""];
+
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDGUID = true;
+
+          ProtectHostname = true;
+          ProtectHome = false; # Important to be false, as Knot is using home path for storing repos
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectProc = "invisible";
+          ProcSubset = "pid";
+
+          RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AD_INET6"];
+
+          DeviceAllow = [""];
+
+          PrivateDevices = true;
+          PrivateTmp = true;
+          PrivateMounts = true;
+          PrivateUsers = true;
+
+          # TODO: Maybe we could make it more restrictive
+          ExecPaths = ["/nix/store"];
+          NoExecPaths = ["/"];
+
+          ProtectSystem = "strict";
+
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+
+          SystemCallFilter = ["@system-service", "~@privileged"];
+          SystelCallArchitecture = ["native"];
+          SystemCallErrorNumber = "EPERM";
         };
       };
 
-- 
2.51.2