common/wpa_supplicant: harden

hosts/common/default.nix

@@ -41,6 +41,7 @@ in {
     ./services/uptimed.nix
     ./services/userborn.nix
     ./services/userdbd.nix
+    ./services/wpa_supplicant.nix
     ./services/xserver.nix
   ];
 

hosts/common/services/wpa_supplicant.nix

@@ -0,0 +1,63 @@
+{ config, lib, ... }:
+let
+  cfg = config.networking.wireless;
+in
+{
+  systemd.services.wpa_supplicant.serviceConfig = lib.mkIf (cfg.enable || config.networking.hostName == "xps16") {
+    RuntimeDirectory = [
+      "wpa_supplicant"
+      "wpa_supplicant/root-mnt"
+    ];
+    RootDirectory = "/run/wpa_supplicant/root-mnt";
+    BindPaths = [
+      "/etc"
+      "/run/dbus/system_bus_socket"
+      "/tmp"
+    ];
+    BindReadOnlyPaths = [
+      # "/bin/sh"
+      builtins.storeDir
+    ];
+
+    # wpa_ctrl puts sockets in /tmp
+    PrivateTmp = false;
+    # PrivateTmp = lib.mkIf (configIsGenerated && !cfg.allowAuxiliaryImperativeNetworks) "disconnected";
+
+    CapabilityBoundingSet = [
+      "CAP_NET_ADMIN"
+      "CAP_BLOCK_SUSPEND"
+      "CAP_NET_RAW"
+      "CAP_CHOWN"
+    ];
+    RestrictNamespaces = true;
+    SystemCallFilter = [
+      "@system-service"
+      "~@resources"
+      "@chown"
+    ];
+    ProtectProc = "invisible";
+    SystemCallArchitectures = "native";
+    DeviceAllow = "/dev/rfkill";
+    DevicePolicy = "closed";
+    NoNewPrivileges = true;
+    ProtectKernelLogs = true;
+    ProtectControlGroups = true;
+    ProtectKernelModules = true;
+    ProtectSystem = true;
+    ProtectHome = true;
+    MemoryDenyWriteExecute = true;
+    ProtectHostname = true;
+    LockPersonality = true;
+    RestrictRealtime = true;
+    RestrictSUIDSGID = true;
+    RestrictAddressFamilies = [
+      "AF_INET"
+      "AF_INET6"
+      "AF_NETLINK"
+      "AF_PACKET"
+      # "AF_ALG" # Used for 'linux' TLS backend
+    ] ++ lib.optionals cfg.dbusControlled [
+      "AF_UNIX"
+    ];
+  };
+}