From 469e354a7df239b90daa717ed7bd6279b14284fc Mon Sep 17 00:00:00 2001
From: Ganga Ram <Ganga.Ram@tii.ae>
Date: Mon, 9 Dec 2024 12:08:18 +0400
Subject: [PATCH] greetd.service hardening

- Hardened service config for greetd
- Exposure level after hardening: 3.5

Signed-off-by: Ganga Ram <Ganga.Ram@tii.ae>
---
 .../hardened-configs/common/greetd.nix        | 89 +++++++++++++++++++
 1 file changed, 89 insertions(+)
 create mode 100644 modules/common/systemd/hardened-configs/common/greetd.nix

diff --git a/modules/common/systemd/hardened-configs/common/greetd.nix b/modules/common/systemd/hardened-configs/common/greetd.nix
new file mode 100644
index 000000000..297f4c48d
--- /dev/null
+++ b/modules/common/systemd/hardened-configs/common/greetd.nix
@@ -0,0 +1,89 @@
+# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+#
+{
+  ##############
+  # Networking #
+  ##############
+  IPAccounting = true;
+  IPAddressDeny = "any";
+  RestrictAddressFamilies = [
+    "~AF_PACKET"
+  ];
+
+  ###############
+  # File system #
+  ###############
+
+  ProtectSystem = "full";
+  ProtectProc = "noaccess";
+  ReadWritePaths = [
+    "/run"
+    "/var/"
+    "/dev/"
+  ];
+
+  PrivateMounts = true;
+  ProcSubset = "all";
+
+  ##########
+  # Kernel #
+  ##########
+
+  ProtectKernelTunables = true;
+  ProtectKernelModules = true;
+  ProtectKernelLogs = true;
+
+  ########
+  # Misc #
+  ########
+  NoNewPrivileges = true;
+  UMask = 77;
+  ProtectHostname = true;
+  ProtectClock = true;
+  ProtectControlGroups = true;
+  RestrictNamespaces = true;
+  LockPersonality = true;
+  MemoryDenyWriteExecute = true;
+  RestrictRealtime = true;
+  RestrictSUIDSGID = true;
+  SystemCallArchitectures = "native";
+  NotifyAccess = false;
+
+  ################
+  # Capabilities #
+  ################
+
+  CapabilityBoundingSet = [
+    "CAP_IPC_LOCK"
+    "CAP_SYS_TTY_CONFIG"
+    "CAP_SETGID"
+    "CAP_CHOWN"
+    "CAP_SETUID"
+    "CAP_IPC_OWNER"
+    "CAP_DAC_OVERRIDE"
+    "CAP_DAC_READ_SEARCH"
+  ];
+
+  ################
+  # System calls #
+  ################
+  SystemCallFilter = [
+    "@setuid"
+    "@chown"
+    "@system-service"
+    "@file-system"
+    "@basic-io"
+    "@ipc"
+    "@signal"
+    "~@clock"
+    "~@cpu-emulation"
+    "~@debug"
+    "~@module"
+    "~@mount"
+    "~@obsolete"
+    "~@raw-io"
+    "~@reboot"
+    "~@swap"
+  ];
+}