From b3b12bc12040a9c21e6413bcc0a96f5efa7be9ab Mon Sep 17 00:00:00 2001
From: Anthony Roussel <anthony@roussel.dev>
Date: Thu, 20 Jun 2024 11:46:06 +0200
Subject: [PATCH] nixos/gns3-server: disable SystemD hardening

---
 .../manual/release-notes/rl-2411.section.md   |  9 ++++++++
 .../services/networking/gns3-server.nix       | 22 ++++++++++++++-----
 2 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md
index 5ad2076d75d7e4e..3d2915a1e3bb80d 100644
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@@ -291,6 +291,15 @@
   a static `user` and `group`. The `writablePaths` option has been removed and
   the models directory is now always exempt from sandboxing.
 
+- The `gns3-server` service now runs under the `gns3` system user
+  instead of a dynamically created one via `DynamicUser`.
+  The use of SUID wrappers is incompatible with SystemD's `DynamicUser` setting,
+  and GNS3 requires calling ubridge through its SUID wrapper to function properly.
+  This change requires to manually move the following directories:
+    * from `/var/lib/private/gns3` to `/var/lib/gns3`
+    * from `/var/log/private/gns3` to `/var/log/gns3`
+  and to change the ownership of the directory and its content to `gns3`.
+
 - Legacy package `stalwart-mail_0_6` was dropped, please note the
   [manual upgrade process](https://github.com/stalwartlabs/mail-server/blob/main/UPGRADING.md)
   before changing the package to `pkgs.stalwart-mail` in
diff --git a/nixos/modules/services/networking/gns3-server.nix b/nixos/modules/services/networking/gns3-server.nix
index cb1b44dd0fc6e9d..4d7f5101f476c14 100644
--- a/nixos/modules/services/networking/gns3-server.nix
+++ b/nixos/modules/services/networking/gns3-server.nix
@@ -233,14 +233,27 @@ in {
         User = "gns3";
         WorkingDirectory = "%S/gns3";
 
+        # Required for ubridge integration to work
+        #
+        # GNS3 needs to run SUID binaries (ubridge)
+        # but NoNewPrivileges breaks execution of SUID binaries
+        DynamicUser = lib.mkForce false;
+        NoNewPrivileges = lib.mkForce false;
+        RestrictSUIDSGID = lib.mkForce false;
+        PrivateUsers = lib.mkForce false;
+
         # Hardening
-        DeviceAllow = lib.optional flags.enableLibvirtd "/dev/kvm";
+        DeviceAllow = [
+          # ubridge needs access to tun/tap devices
+          "/dev/net/tap rw"
+          "/dev/net/tun rw"
+        ] ++ lib.optionals flags.enableLibvirtd [
+          "/dev/kvm"
+        ];
         DevicePolicy = "closed";
         LockPersonality = true;
         MemoryDenyWriteExecute = true;
-        NoNewPrivileges = true;
         PrivateTmp = true;
-        PrivateUsers = true;
         # Don't restrict ProcSubset because python3Packages.psutil requires read access to /proc/stat
         # ProcSubset = "pid";
         ProtectClock = true;
@@ -261,8 +274,7 @@ in {
         ];
         RestrictNamespaces = true;
         RestrictRealtime = true;
-        RestrictSUIDSGID = true;
-        UMask = "0077";
+        UMask = "0022";
       };
     };
   };