movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-17 23:19:25 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixos/github-runner: systemd service hardening

Browse source
This commit is contained in:
Alex Martens 2022-03-06 15:46:23 -08:00
parent baedfc4da9
commit 334b30c464
3 changed files with 23 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

10
nixos/modules/services/continuous-integration/github-runner.nix
View file

@ -299,6 +299,16 @@ in
RestrictRealtime = true;
RestrictSUIDSGID = true;
UMask = "0066";
ProtectProc = "invisible";
ProcSubset = "pid";
SystemCallFilter = [
"~@debug"
"~@mount"
"~@privileged"
"~@cpu-emulation"
"~@obsolete"
];
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ];
# Needs network access
PrivateNetwork = false;