nixos/ntpd-rs: hardening · pyrox.dev/nixpkgs@a9cd681

pyrox.dev / nixpkgs

fork atom

lol

fork atom

nixos/ntpd-rs: hardening

authored by

liberodark and committed by

Masum Reza 7 months ago a9cd681b 5db8ee9d

+81

1 changed file

expand all

nixos

modules

services

networking

ntp

ntpd-rs.nix

+81

nixos/modules/services/networking/ntp/ntpd-rs.nix

··· 90 90 "" 91 91 "${lib.makeBinPath [ cfg.package ]}/ntp-daemon --config=${validateConfig configFile}" 92 92 ]; 93 + 94 + CapabilityBoundingSet = [ 95 + "CAP_SYS_TIME" 96 + "CAP_NET_BIND_SERVICE" 97 + ]; 98 + AmbientCapabilities = [ 99 + "CAP_SYS_TIME" 100 + "CAP_NET_BIND_SERVICE" 101 + ]; 102 + LimitCORE = 0; 103 + LimitNOFILE = 65535; 104 + LockPersonality = true; 105 + MemorySwapMax = 0; 106 + MemoryZSwapMax = 0; 107 + PrivateTmp = true; 108 + ProcSubset = "pid"; 109 + ProtectControlGroups = true; 110 + ProtectHome = true; 111 + ProtectHostname = true; 112 + ProtectKernelLogs = true; 113 + ProtectKernelModules = true; 114 + ProtectKernelTunables = true; 115 + ProtectProc = "invisible"; 116 + ProtectSystem = "strict"; 117 + Restart = "on-failure"; 118 + RestartSec = "10s"; 119 + RestrictAddressFamilies = [ 120 + "AF_INET" 121 + "AF_INET6" 122 + "AF_UNIX" 123 + "AF_NETLINK" 124 + ]; 125 + RestrictNamespaces = true; 126 + RestrictRealtime = true; 127 + SystemCallArchitectures = "native"; 128 + SystemCallFilter = [ 129 + "@system-service" 130 + "@resources" 131 + "@network-io" 132 + "@clock" 133 + ]; 134 + NoNewPrivileges = true; 135 + UMask = "0077"; 93 136 }; 94 137 }; 95 138 ··· 103 146 "" 104 147 "${lib.makeBinPath [ cfg.package ]}/ntp-metrics-exporter --config=${validateConfig configFile}" 105 148 ]; 149 + 150 + CapabilityBoundingSet = [ ]; 151 + LimitCORE = 0; 152 + LimitNOFILE = 65535; 153 + LockPersonality = true; 154 + MemorySwapMax = 0; 155 + MemoryZSwapMax = 0; 156 + PrivateTmp = true; 157 + ProcSubset = "pid"; 158 + ProtectClock = true; 159 + ProtectControlGroups = true; 160 + ProtectHome = true; 161 + ProtectHostname = true; 162 + ProtectKernelLogs = true; 163 + ProtectKernelModules = true; 164 + ProtectKernelTunables = true; 165 + ProtectProc = "invisible"; 166 + ProtectSystem = "strict"; 167 + PrivateDevices = true; 168 + RestrictSUIDSGID = true; 169 + RemoveIPC = true; 170 + RestrictAddressFamilies = [ 171 + "AF_INET" 172 + "AF_INET6" 173 + "AF_UNIX" 174 + ]; 175 + RestrictNamespaces = true; 176 + RestrictRealtime = true; 177 + SystemCallArchitectures = "native"; 178 + SystemCallFilter = [ 179 + "@system-service" 180 + "@network-io" 181 + "~@privileged" 182 + "~@resources" 183 + "~@mount" 184 + ]; 185 + NoNewPrivileges = true; 186 + UMask = "0077"; 106 187 }; 107 188 }; 108 189 };