From 1e2d251e1d931525dadafe13e0b85aec9d8fe309 Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foodogsquared@foodogsquared.one>
Date: Wed, 28 Jun 2023 00:19:06 +0800
Subject: [PATCH] hosts/plover: harden Bind systemd service

---
 hosts/plover/modules/services/bind.nix | 58 ++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)

diff --git a/hosts/plover/modules/services/bind.nix b/hosts/plover/modules/services/bind.nix
index a3985da5..30df0127 100644
--- a/hosts/plover/modules/services/bind.nix
+++ b/hosts/plover/modules/services/bind.nix
@@ -144,6 +144,64 @@ in
     '';
   };
 
+  # Additional service hardening. You can see most of the options
+  # from systemd.exec(5) manual.
+  systemd.services.bind = {
+    serviceConfig = {
+      # Run it as an unprivileged user.
+      User = config.users.users.named.name;
+      Group = config.users.users.named.group;
+      UMask = "0037";
+
+      # Lock and protect various system components.
+      LockPersonality = true;
+      PrivateTmp = true;
+      NoNewPrivileges = true;
+      RestrictSUIDSGID = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectClock = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectKernelLogs = true;
+      ProtectControlGroups = true;
+      ProtectProc = "invisible";
+
+      # Make the filesystem invisible to the service.
+      ProtectSystem = "strict";
+      ReadWritePaths = [
+        config.services.bind.directory
+        "/etc/bind"
+      ];
+
+      # Filtering system calls.
+      SystemCallFilter = [ "@system-service" ];
+      SystemCallErrorNumber = "EPERM";
+      SystemCallArchitectures = "native";
+
+      # Granting and restricting its capabilities. Take note we're not using
+      # syslog for this even if the application can so no syslog capability.
+      CapabilityBoundingSet = [
+        "CAP_NET_BIND_SERVICE"
+        "CAP_NET_RAW"
+        "CAP_SYS_CHROOT"
+      ];
+      AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+
+      # Restrict what address families can it access.
+      RestrictAddressFamilies = [
+        "AF_LOCAL"
+        "AF_NETLINK"
+        "AF_BRIDGE"
+        "AF_INET"
+        "AF_INET6"
+      ];
+
+      # Restricting what namespaces it can create.
+      RestrictNamespaces = [ "network" "pid" ];
+    };
+  };
+
   networking.firewall ={
     allowedUDPPorts = [
       53  # DNS