nixos/jenkins: Apply hardening options · tjh.dev/nixpkgs@53aeea0

tjh.dev / nixpkgs

fork atom

Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)

fork atom

nixos/jenkins: Apply hardening options

Signed-off-by: Felix Singer <felixsinger@posteo.net>

Felix Singer 5 months ago 53aeea03 ecb4f79d

+27

1 changed file

expand all

unified split

nixos

modules

services

continuous-integration

jenkins

default.nix

+27

nixos/modules/services/continuous-integration/jenkins/default.nix

··· 254 254 StateDirectory = lib.mkIf (lib.hasPrefix "/var/lib/jenkins" cfg.home) "jenkins"; 255 255 # For (possible) socket use 256 256 RuntimeDirectory = "jenkins"; 257 + AmbientCapabilities = ""; 258 + CapabilityBoundingSet = ""; 259 + LockPersonality = true; 260 + # MemoryDenyWriteExecute = false; Breaks execution; 261 + NoNewPrivileges = true; 262 + PrivateDevices = true; 263 + PrivateMounts = true; 264 + PrivateTmp = true; 265 + ProtectClock = true; 266 + ProtectControlGroups = true; 267 + ProtectHome = true; 268 + ProtectHostname = true; 269 + ProtectKernelLogs = true; 270 + ProtectKernelModules = true; 271 + ProtectKernelTunables = true; 272 + ProtectSystem = "full"; 273 + RemoveIPC = true; 274 + RestrictAddressFamilies = [ 275 + "AF_UNIX" 276 + "AF_INET" 277 + "AF_INET6" 278 + ]; 279 + RestrictNamespaces = true; 280 + RestrictRealtime = true; 281 + RestrictSUIDSGID = true; 282 + SystemCallArchitectures = "native"; 283 + UMask = 27; 257 284 }; 258 285 }; 259 286 };