services/enthalpy: fixup dns leak in network namespace

2024-12-02 20:17:09 +08:00 · 2024-12-02 20:17:09 +08:00 · dc56af5c6b
parent a67263f5dd
commit dc56af5c6b
4 changed files with 83 additions and 23 deletions
--- a/nixos/modules/services/enthalpy/common.nix
+++ b/nixos/modules/services/enthalpy/common.nix
@ -77,9 +77,5 @@ in
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
    };
-
-    environment.etc."netns/enthalpy/resolv.conf".text = lib.mkDefault ''
-      nameserver 2606:4700:4700::1111
-    '';
  };
 }
--- a/nixos/modules/services/enthalpy/ipsec.nix
+++ b/nixos/modules/services/enthalpy/ipsec.nix
@ -88,7 +88,7 @@ in
  config = mkIf (cfg.enable && cfg.ipsec.enable) {
    assertions = [
      {
-        assertion = builtins.all (lib.id) [
+        assertion = builtins.all id [
          (cfg.ipsec.blacklist != null -> cfg.ipsec.whitelist == null)
          (cfg.ipsec.whitelist != null -> cfg.ipsec.blacklist == null)
        ];
--- a/nixos/modules/services/enthalpy/services.nix
+++ b/nixos/modules/services/enthalpy/services.nix
@ -3,6 +3,7 @@
 {
  config,
  lib,
+  pkgs,
  ...
 }:
 with lib;
@ -36,22 +37,86 @@ in
    };
  };

-  config = mkIf cfg.enable {
-    systemd.services = mapAttrs (_name: value: {
-      inherit (value) overrideStrategy;
-      serviceConfig = {
-        NetworkNamespacePath = "/run/netns/${cfg.netns}";
-        BindReadOnlyPaths = "/etc/netns/${cfg.netns}/resolv.conf:/etc/resolv.conf:norbind";
-      };
-      after = [ "enthalpy.service" ];
-      requires = [ "enthalpy.service" ];
-    }) cfg.services;
+  config = mkIf cfg.enable (mkMerge [
+    {
+      systemd.services = mapAttrs (_name: value: {
+        inherit (value) overrideStrategy;
+        serviceConfig = {
+          NetworkNamespacePath = "/run/netns/${cfg.netns}";
+          BindReadOnlyPaths = [
+            "/etc/netns/${cfg.netns}/resolv.conf:/etc/resolv.conf:norbind"
+            "/etc/netns/${cfg.netns}/nsswitch.conf:/etc/nsswitch.conf:norbind"
+            "/run/enthalpy/nscd:/run/nscd:norbind"
+          ];
+        };
+        after = [ "enthalpy.service" ];
+        requires = [ "enthalpy.service" ];
+      }) cfg.services;

-    services.enthalpy.services = mapAttrs' (
-      name: _value:
-      nameValuePair "user@${toString config.users.users.${name}.uid}" {
-        overrideStrategy = "asDropin";
-      }
-    ) cfg.users;
-  };
+      services.enthalpy.services = mapAttrs' (
+        name: _value:
+        nameValuePair "user@${toString config.users.users.${name}.uid}" {
+          overrideStrategy = "asDropin";
+        }
+      ) cfg.users;
+    }
+
+    # https://philipdeljanov.com/posts/2019/05/31/dns-leaks-with-network-namespaces
+    # https://flokli.de/posts/2022-11-18-nsncd
+    (mkIf (cfg.services != { }) {
+      environment.etc."netns/enthalpy/resolv.conf".text = mkDefault ''
+        nameserver 2606:4700:4700::1111
+      '';
+
+      environment.etc."netns/enthalpy/nsswitch.conf".text = ''
+        passwd:    ${concatStringsSep " " config.system.nssDatabases.passwd}
+        group:     ${concatStringsSep " " config.system.nssDatabases.group}
+        shadow:    ${concatStringsSep " " config.system.nssDatabases.shadow}
+        sudoers:   ${concatStringsSep " " config.system.nssDatabases.sudoers}
+
+        hosts:     ${concatStringsSep " " (remove "resolve [!UNAVAIL=return]" config.system.nssDatabases.hosts)}
+        networks:  files
+
+        ethers:    files
+        services:  ${concatStringsSep " " config.system.nssDatabases.services}
+        protocols: files
+        rpc:       files
+      '';
+
+      systemd.services.enthalpy-nsncd = {
+        serviceConfig = {
+          NetworkNamespacePath = "/run/netns/${cfg.netns}";
+          BindReadOnlyPaths = [
+            "/etc/netns/${cfg.netns}/resolv.conf:/etc/resolv.conf:norbind"
+            "/etc/netns/${cfg.netns}/nsswitch.conf:/etc/nsswitch.conf:norbind"
+          ];
+          BindPaths = [
+            "/run/enthalpy/nscd:/run/nscd:norbind"
+          ];
+          ExecStart = "${pkgs.nsncd}/bin/nsncd";
+          Type = "notify";
+          DynamicUser = true;
+          RemoveIPC = true;
+          NoNewPrivileges = true;
+          RestrictSUIDSGID = true;
+          ProtectSystem = "strict";
+          ProtectHome = "read-only";
+          ProtectKernelTunables = true;
+          ProtectControlGroups = true;
+          PrivateTmp = true;
+          RuntimeDirectory = "enthalpy/nscd";
+          Restart = "always";
+          SystemCallFilter = "~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io";
+          MemoryDenyWriteExecute = "yes";
+        };
+        environment.LD_LIBRARY_PATH = config.system.nssModules.path;
+        after = [
+          "enthalpy.service"
+          "network.target"
+        ];
+        requires = [ "enthalpy.service" ];
+        wantedBy = [ "multi-user.target" ];
+      };
+    })
+  ]);
 }
--- a/nixos/profiles/services/resolved/default.nix
+++ b/nixos/profiles/services/resolved/default.nix
@ -5,7 +5,6 @@
    llmnr = "false";
    extraConfig = ''
      MulticastDNS=off
-      DNSStubListener=no
    '';
  };
 }