nixos/gns3-server: disable SystemD hardening

NixOS · Sep 22, 2024 · b12bc80 · b12bc80
1 parent 760ba64
commit b12bc80
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 5 deletions.
diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md
@@ -291,6 +291,15 @@
   a static `user` and `group`. The `writablePaths` option has been removed and
   the models directory is now always exempt from sandboxing.
 
+- The `gns3-server` service now runs under the `gns3` system user
+  instead of a dynamically created one via `DynamicUser`.
+  The use of SUID wrappers is incompatible with SystemD's `DynamicUser` setting,
+  and GNS3 requires calling ubridge through its SUID wrapper to function properly.
+  This change requires to manually move the following directories:
+    * from `/var/lib/private/gns3` to `/var/lib/gns3`
+    * from `/var/log/private/gns3` to `/var/log/gns3`
+  and to change the ownership of these directories and their contents to `gns3` (including `/etc/gns3`).
+
 - Legacy package `stalwart-mail_0_6` was dropped, please note the
   [manual upgrade process](https://github.com/stalwartlabs/mail-server/blob/main/UPGRADING.md)
   before changing the package to `pkgs.stalwart-mail` in

diff --git a/nixos/modules/services/networking/gns3-server.nix b/nixos/modules/services/networking/gns3-server.nix
@@ -233,14 +233,27 @@ in {
         User = "gns3";
         WorkingDirectory = "%S/gns3";
 
+        # Required for ubridge integration to work
+        #
+        # GNS3 needs to run SUID binaries (ubridge)
+        # but NoNewPrivileges breaks execution of SUID binaries
+        DynamicUser = lib.mkForce false;
+        NoNewPrivileges = lib.mkForce false;
+        RestrictSUIDSGID = lib.mkForce false;
+        PrivateUsers = lib.mkForce false;
+
         # Hardening
-        DeviceAllow = lib.optional flags.enableLibvirtd "/dev/kvm";
+        DeviceAllow = [
+          # ubridge needs access to tun/tap devices
+          "/dev/net/tap rw"
+          "/dev/net/tun rw"
+        ] ++ lib.optionals flags.enableLibvirtd [
+          "/dev/kvm"
+        ];
         DevicePolicy = "closed";
         LockPersonality = true;
         MemoryDenyWriteExecute = true;
-        NoNewPrivileges = true;
         PrivateTmp = true;
-        PrivateUsers = true;
         # Don't restrict ProcSubset because python3Packages.psutil requires read access to /proc/stat
         # ProcSubset = "pid";
         ProtectClock = true;
@@ -261,8 +274,7 @@ in {
         ];
         RestrictNamespaces = true;
         RestrictRealtime = true;
-        RestrictSUIDSGID = true;
-        UMask = "0077";
+        UMask = "0022";
       };
     };
   };