diff --git a/nixos/modules/services/networking/bind.nix b/nixos/modules/services/networking/bind.nix index 1192645c2472..50f267bc1f02 100644 --- a/nixos/modules/services/networking/bind.nix +++ b/nixos/modules/services/networking/bind.nix @@ -279,7 +279,7 @@ in RuntimeDirectoryPreserve = "yes"; ConfigurationDirectory = "bind"; ReadWritePaths = [ - (lib.mapAttrsToList (name: config: "-${config.file}") cfg.zones) + (lib.mapAttrsToList (name: config: if (lib.hasPrefix "/" config.file) then ("-${dirOf config.file}") else "") cfg.zones) cfg.directory ]; CapabilityBoundingSet = "CAP_NET_BIND_SERVICE"; @@ -287,7 +287,7 @@ in # Security NoNewPrivileges = true; # Sandboxing - ProtectSystem = "full"; + ProtectSystem = "strict"; ReadOnlyPaths = "/sys"; ProtectHome = true; PrivateTmp = true; @@ -310,7 +310,7 @@ in RestrictNamespaces = true; # System Call Filtering SystemCallArchitectures = "native"; - SystemCallFilter = "~@mount @debug @clock @reboot acct modify_ldt add_key adjtimex clock_adjtime delete_module fanotify_init finit_module get_mempolicy init_module io_destroy io_getevents iopl ioperm io_setup io_submit io_cancel kcmp kexec_load keyctl lookup_dcookie migrate_pages move_pages open_by_handle_at perf_event_open process_vm_readv process_vm_writev ptrace remap_file_pages request_key set_mempolicy swapoff swapon uselib vmsplice"; + SystemCallFilter = "~@mount @debug @clock @reboot @resources @privileged @obsolete acct modify_ldt add_key adjtimex clock_adjtime delete_module fanotify_init finit_module get_mempolicy init_module io_destroy io_getevents iopl ioperm io_setup io_submit io_cancel kcmp kexec_load keyctl lookup_dcookie migrate_pages move_pages open_by_handle_at perf_event_open process_vm_readv process_vm_writev ptrace remap_file_pages request_key set_mempolicy swapoff swapon uselib vmsplice"; }; unitConfig.Documentation = "man:named(8)";