2e751c0772
the conversion procedure is simple: - find all things that look like options, ie calls to either `mkOption` or `lib.mkOption` that take an attrset. remember the attrset as the option - for all options, find a `description` attribute who's value is not a call to `mdDoc` or `lib.mdDoc` - textually convert the entire value of the attribute to MD with a few simple regexes (the set from mdize-module.sh) - if the change produced a change in the manual output, discard - if the change kept the manual unchanged, add some text to the description to make sure we've actually found an option. if the manual changes this time, keep the converted description this procedure converts 80% of nixos options to markdown. around 2000 options remain to be inspected, but most of those fail the "does not change the manual output check": currently the MD conversion process does not faithfully convert docbook tags like <code> and <package>, so any option using such tags will not be converted at all.
215 lines
7.2 KiB
Nix
215 lines
7.2 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
let
|
|
cfg = config.services.usbguard;
|
|
|
|
# valid policy options
|
|
policy = (types.enum [ "allow" "block" "reject" "keep" "apply-policy" ]);
|
|
|
|
defaultRuleFile = "/var/lib/usbguard/rules.conf";
|
|
|
|
# decide what file to use for rules
|
|
ruleFile = if cfg.rules != null then pkgs.writeText "usbguard-rules" cfg.rules else defaultRuleFile;
|
|
|
|
daemonConf = ''
|
|
# generated by nixos/modules/services/security/usbguard.nix
|
|
RuleFile=${ruleFile}
|
|
ImplicitPolicyTarget=${cfg.implictPolicyTarget}
|
|
PresentDevicePolicy=${cfg.presentDevicePolicy}
|
|
PresentControllerPolicy=${cfg.presentControllerPolicy}
|
|
InsertedDevicePolicy=${cfg.insertedDevicePolicy}
|
|
RestoreControllerDeviceState=${boolToString cfg.restoreControllerDeviceState}
|
|
# this does not seem useful for endusers to change
|
|
DeviceManagerBackend=uevent
|
|
IPCAllowedUsers=${concatStringsSep " " cfg.IPCAllowedUsers}
|
|
IPCAllowedGroups=${concatStringsSep " " cfg.IPCAllowedGroups}
|
|
IPCAccessControlFiles=/var/lib/usbguard/IPCAccessControl.d/
|
|
DeviceRulesWithPort=${boolToString cfg.deviceRulesWithPort}
|
|
# HACK: that way audit logs still land in the journal
|
|
AuditFilePath=/dev/null
|
|
'';
|
|
|
|
daemonConfFile = pkgs.writeText "usbguard-daemon-conf" daemonConf;
|
|
|
|
in
|
|
{
|
|
|
|
###### interface
|
|
|
|
options = {
|
|
services.usbguard = {
|
|
enable = mkEnableOption "USBGuard daemon";
|
|
|
|
package = mkOption {
|
|
type = types.package;
|
|
default = pkgs.usbguard;
|
|
defaultText = literalExpression "pkgs.usbguard";
|
|
description = lib.mdDoc ''
|
|
The usbguard package to use. If you do not need the Qt GUI, use
|
|
`pkgs.usbguard-nox` to save disk space.
|
|
'';
|
|
};
|
|
|
|
rules = mkOption {
|
|
type = types.nullOr types.lines;
|
|
default = null;
|
|
example = ''
|
|
allow with-interface equals { 08:*:* }
|
|
'';
|
|
description = ''
|
|
The USBGuard daemon will load this as the policy rule set.
|
|
As these rules are NixOS managed they are immutable and can't
|
|
be changed by the IPC interface.
|
|
|
|
If you do not set this option, the USBGuard daemon will load
|
|
it's policy rule set from <literal>${defaultRuleFile}</literal>.
|
|
This file can be changed manually or via the IPC interface.
|
|
|
|
Running <literal>usbguard generate-policy</literal> as root will
|
|
generate a config for your currently plugged in devices.
|
|
|
|
For more details see <citerefentry>
|
|
<refentrytitle>usbguard-rules.conf</refentrytitle>
|
|
<manvolnum>5</manvolnum></citerefentry>.
|
|
'';
|
|
};
|
|
|
|
implictPolicyTarget = mkOption {
|
|
type = policy;
|
|
default = "block";
|
|
description = lib.mdDoc ''
|
|
How to treat USB devices that don't match any rule in the policy.
|
|
Target should be one of allow, block or reject (logically remove the
|
|
device node from the system).
|
|
'';
|
|
};
|
|
|
|
presentDevicePolicy = mkOption {
|
|
type = policy;
|
|
default = "apply-policy";
|
|
description = lib.mdDoc ''
|
|
How to treat USB devices that are already connected when the daemon
|
|
starts. Policy should be one of allow, block, reject, keep (keep
|
|
whatever state the device is currently in) or apply-policy (evaluate
|
|
the rule set for every present device).
|
|
'';
|
|
};
|
|
|
|
presentControllerPolicy = mkOption {
|
|
type = policy;
|
|
default = "keep";
|
|
description = lib.mdDoc ''
|
|
How to treat USB controller devices that are already connected when
|
|
the daemon starts. One of allow, block, reject, keep or apply-policy.
|
|
'';
|
|
};
|
|
|
|
insertedDevicePolicy = mkOption {
|
|
type = policy;
|
|
default = "apply-policy";
|
|
description = lib.mdDoc ''
|
|
How to treat USB devices that are already connected after the daemon
|
|
starts. One of block, reject, apply-policy.
|
|
'';
|
|
};
|
|
|
|
restoreControllerDeviceState = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = lib.mdDoc ''
|
|
The USBGuard daemon modifies some attributes of controller
|
|
devices like the default authorization state of new child device
|
|
instances. Using this setting, you can controll whether the daemon
|
|
will try to restore the attribute values to the state before
|
|
modificaton on shutdown.
|
|
'';
|
|
};
|
|
|
|
IPCAllowedUsers = mkOption {
|
|
type = types.listOf types.str;
|
|
default = [ "root" ];
|
|
example = [ "root" "yourusername" ];
|
|
description = lib.mdDoc ''
|
|
A list of usernames that the daemon will accept IPC connections from.
|
|
'';
|
|
};
|
|
|
|
IPCAllowedGroups = mkOption {
|
|
type = types.listOf types.str;
|
|
default = [ ];
|
|
example = [ "wheel" ];
|
|
description = lib.mdDoc ''
|
|
A list of groupnames that the daemon will accept IPC connections
|
|
from.
|
|
'';
|
|
};
|
|
|
|
deviceRulesWithPort = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = lib.mdDoc ''
|
|
Generate device specific rules including the "via-port" attribute.
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
|
|
###### implementation
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
environment.systemPackages = [ cfg.package ];
|
|
|
|
systemd.services.usbguard = {
|
|
description = "USBGuard daemon";
|
|
|
|
wantedBy = [ "basic.target" ];
|
|
wants = [ "systemd-udevd.service" ];
|
|
|
|
# make sure an empty rule file exists
|
|
preStart = ''[ -f "${ruleFile}" ] || touch ${ruleFile}'';
|
|
|
|
serviceConfig = {
|
|
Type = "simple";
|
|
ExecStart = "${cfg.package}/bin/usbguard-daemon -P -k -c ${daemonConfFile}";
|
|
Restart = "on-failure";
|
|
|
|
StateDirectory = [
|
|
"usbguard"
|
|
"usbguard/IPCAccessControl.d"
|
|
];
|
|
|
|
AmbientCapabilities = "";
|
|
CapabilityBoundingSet = "CAP_CHOWN CAP_FOWNER";
|
|
DeviceAllow = "/dev/null rw";
|
|
DevicePolicy = "strict";
|
|
IPAddressDeny = "any";
|
|
LockPersonality = true;
|
|
MemoryDenyWriteExecute = true;
|
|
NoNewPrivileges = true;
|
|
PrivateDevices = true;
|
|
PrivateTmp = true;
|
|
ProtectControlGroups = true;
|
|
ProtectHome = true;
|
|
ProtectKernelModules = true;
|
|
ProtectSystem = true;
|
|
ReadOnlyPaths = "-/";
|
|
ReadWritePaths = "-/dev/shm -/tmp";
|
|
RestrictAddressFamilies = [ "AF_UNIX" "AF_NETLINK" ];
|
|
RestrictNamespaces = true;
|
|
RestrictRealtime = true;
|
|
SystemCallArchitectures = "native";
|
|
SystemCallFilter = "@system-service";
|
|
UMask = "0077";
|
|
};
|
|
};
|
|
};
|
|
imports = [
|
|
(mkRemovedOptionModule [ "services" "usbguard" "ruleFile" ] "The usbguard module now uses ${defaultRuleFile} as ruleFile. Alternatively, use services.usbguard.rules to configure rules.")
|
|
(mkRemovedOptionModule [ "services" "usbguard" "IPCAccessControlFiles" ] "The usbguard module now hardcodes IPCAccessControlFiles to /var/lib/usbguard/IPCAccessControl.d.")
|
|
(mkRemovedOptionModule [ "services" "usbguard" "auditFilePath" ] "Removed usbguard module audit log files. Audit logs can be found in the systemd journal.")
|
|
];
|
|
}
|