pyrox.dev
nixos/mastodon: enable sandbox mode
+24
nixos/modules/services/web-apps/mastodon.nix
+24
nixos/modules/services/web-apps/mastodon.nix
···
43
43
LogsDirectoryMode = "0750";
44
44
# Access write directories
45
45
UMask = "0027";
46
+
# Capabilities
47
+
CapabilityBoundingSet = "";
48
+
# Security
49
+
NoNewPrivileges = true;
46
50
# Sandboxing
51
+
ProtectSystem = "strict";
52
+
ProtectHome = true;
47
53
PrivateTmp = true;
54
+
PrivateDevices = true;
55
+
PrivateUsers = true;
56
+
ProtectClock = true;
57
+
ProtectHostname = true;
58
+
ProtectKernelLogs = true;
59
+
ProtectKernelModules = true;
60
+
ProtectKernelTunables = true;
61
+
ProtectControlGroups = true;
62
+
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ];
63
+
RestrictNamespaces = true;
64
+
LockPersonality = true;
65
+
MemoryDenyWriteExecute = false;
66
+
RestrictRealtime = true;
67
+
RestrictSUIDSGID = true;
68
+
PrivateMounts = true;
69
+
# System Call Filtering
70
+
SystemCallArchitectures = "native";
71
+
SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @reboot @resources @setuid @swap";
48
72
};
49
73
50
74
envFile = pkgs.writeText "mastodon.env" (lib.concatMapStrings (s: s + "\n") (