nixos/echoip: improve systemd hardening · pyrox.dev/nixpkgs@eccf638

pyrox.dev / nixpkgs

fork atom

lol

fork atom

nixos/echoip: improve systemd hardening

Defelo 1 year ago eccf6388 110b3af9

+13 -6

1 changed file

expand all

nixos

modules

services

web-apps

echoip.nix

+13 -6

nixos/modules/services/web-apps/echoip.nix

··· 75 75 ); 76 76 77 77 # Hardening 78 + AmbientCapabilities = ""; 78 79 CapabilityBoundingSet = [ "" ]; 79 - DeviceAllow = [ "" ]; 80 + DevicePolicy = "closed"; 80 81 LockPersonality = true; 82 + MemoryDenyWriteExecute = true; 83 + NoNewPrivileges = true; 81 84 PrivateDevices = true; 82 85 PrivateTmp = true; 83 86 PrivateUsers = true; ··· 91 94 ProtectKernelTunables = true; 92 95 ProtectProc = "invisible"; 93 96 ProtectSystem = "strict"; 94 - RestrictAddressFamilies = [ 95 - "AF_INET" 96 - "AF_INET6" 97 - "AF_UNIX" 98 - ]; 97 + RemoveIPC = true; 98 + RestrictAddressFamilies = [ "AF_INET AF_INET6 AF_UNIX" ]; 99 99 RestrictNamespaces = true; 100 100 RestrictRealtime = true; 101 101 RestrictSUIDSGID = true; 102 102 SystemCallArchitectures = "native"; 103 + SystemCallFilter = [ 104 + "@system-service" 105 + "~@privileged" 106 + "~@resources" 107 + "setrlimit" 108 + ]; 109 + UMask = "0077"; 103 110 }; 104 111 }; 105 112