nixos/echoip: improve systemd hardening (#387466)

nixos/modules/services/web-apps/echoip.nix

@@ -75,9 +75,12 @@ in
         );
 
         # Hardening
+        AmbientCapabilities = "";
         CapabilityBoundingSet = [ "" ];
-        DeviceAllow = [ "" ];
+        DevicePolicy = "closed";
         LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
         PrivateDevices = true;
         PrivateTmp = true;
         PrivateUsers = true;
@@ -91,15 +94,19 @@ in
         ProtectKernelTunables = true;
         ProtectProc = "invisible";
         ProtectSystem = "strict";
-        RestrictAddressFamilies = [
-          "AF_INET"
-          "AF_INET6"
-          "AF_UNIX"
-        ];
+        RemoveIPC = true;
+        RestrictAddressFamilies = [ "AF_INET AF_INET6 AF_UNIX" ];
         RestrictNamespaces = true;
         RestrictRealtime = true;
         RestrictSUIDSGID = true;
         SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged"
+          "~@resources"
+          "setrlimit"
+        ];
+        UMask = "0077";
       };
     };
 

nixos/tests/all-tests.nix

@@ -353,7 +353,7 @@ in {
   early-mount-options = handleTest ./early-mount-options.nix {};
   ec2-config = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-config or {};
   ec2-nixops = (handleTestOn ["x86_64-linux"] ./ec2.nix {}).boot-ec2-nixops or {};
-  echoip = handleTest ./echoip.nix {};
+  echoip = runTest ./echoip.nix;
   ecryptfs = handleTest ./ecryptfs.nix {};
   fscrypt = handleTest ./fscrypt.nix {};
   fastnetmon-advanced = runTest ./fastnetmon-advanced.nix;

nixos/tests/echoip.nix

@@ -1,5 +1,5 @@
-import ./make-test-python.nix (
 { lib, ... }:
+
 {
   name = "echoip";
   meta.maintainers = with lib.maintainers; [ defelo ];
@@ -26,4 +26,3 @@ import ./make-test-python.nix (
     assert resp.strip() == "::1"
   '';
 }
-)