davmail: enable sandboxing options · pyrox.dev/nixpkgs@40c923a

lol

davmail: enable sandboxing options

The output from `systemd-analyze security davmail`:
Before: `Overall exposure level for davmail.service: 8.2 EXPOSED 🙁`
After: `Overall exposure level for davmail.service: 1.3 OK 🙂`

Mads Mogensen 2 years ago 40c923aa 7096fc81

+27

1 changed file

expand all

nixos

modules

services

mail

davmail.nix

+27

nixos/modules/services/mail/davmail.nix

··· 91 91 Restart = "on-failure"; 92 92 DynamicUser = "yes"; 93 93 LogsDirectory = "davmail"; 94 + 95 + CapabilityBoundingSet = [ "" ]; 96 + DeviceAllow = [ "" ]; 97 + LockPersonality = true; 98 + NoNewPrivileges = true; 99 + PrivateDevices = true; 100 + PrivateTmp = true; 101 + PrivateUsers = true; 102 + ProtectClock = true; 103 + ProtectControlGroups = true; 104 + ProtectHome = true; 105 + ProtectSystem = "strict"; 106 + ProtectHostname = true; 107 + ProtectKernelLogs = true; 108 + ProtectKernelModules = true; 109 + ProtectKernelTunables = true; 110 + ProtectProc = "invisible"; 111 + RemoveIPC = true; 112 + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; 113 + RestrictNamespaces = true; 114 + RestrictRealtime = true; 115 + RestrictSUIDSGID = true; 116 + SystemCallArchitectures = "native"; 117 + SystemCallFilter = "@system-service"; 118 + SystemCallErrorNumber = "EPERM"; 119 + UMask = "0077"; 120 + 94 121 }; 95 122 }; 96 123