pyrox.dev
Merge pull request #122241 from dotlambda/znc-harden
nixos/znc: harden systemd unit
authored by
Robert Schütz
and committed by
GitHub
d189df23
903665f3
+30
-2
nixos/modules/services/networking/znc/default.nix
+30
-2
nixos/modules/services/networking/znc/default.nix
···
103
103
};
104
104
105
105
dataDir = mkOption {
106
-
default = "/var/lib/znc/";
107
-
example = "/home/john/.znc/";
106
+
default = "/var/lib/znc";
107
+
example = "/home/john/.znc";
108
108
type = types.path;
109
109
description = ''
110
110
The state directory for ZNC. The config and the modules will be linked
···
258
258
ExecStart = "${pkgs.znc}/bin/znc --foreground --datadir ${cfg.dataDir} ${escapeShellArgs cfg.extraFlags}";
259
259
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
260
260
ExecStop = "${pkgs.coreutils}/bin/kill -INT $MAINPID";
261
+
# Hardening
262
+
CapabilityBoundingSet = [ "" ];
263
+
DevicePolicy = "closed";
264
+
LockPersonality = true;
265
+
MemoryDenyWriteExecute = true;
266
+
NoNewPrivileges = true;
267
+
PrivateDevices = true;
268
+
PrivateTmp = true;
269
+
PrivateUsers = true;
270
+
ProcSubset = "pid";
271
+
ProtectClock = true;
272
+
ProtectControlGroups = true;
273
+
ProtectHome = true;
274
+
ProtectHostname = true;
275
+
ProtectKernelLogs = true;
276
+
ProtectKernelModules = true;
277
+
ProtectKernelTunables = true;
278
+
ProtectProc = "invisible";
279
+
ProtectSystem = "strict";
280
+
ReadWritePaths = [ cfg.dataDir ];
281
+
RemoveIPC = true;
282
+
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
283
+
RestrictNamespaces = true;
284
+
RestrictRealtime = true;
285
+
RestrictSUIDSGID = true;
286
+
SystemCallArchitectures = "native";
287
+
SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
288
+
UMask = "0027";
261
289
};
262
290
preStart = ''
263
291
mkdir -p ${cfg.dataDir}/configs
+1
-1
nixos/modules/services/networking/znc/options.nix
+1
-1
nixos/modules/services/networking/znc/options.nix