From 4855723c87be027e9ed9a3e6e6503d04f48f4b8a Mon Sep 17 00:00:00 2001
From: HackerNCoder <hackerncoder@encryptionin.space>
Date: Fri, 18 Oct 2024 19:36:10 +0200
Subject: [PATCH] nixos/bind: Make ProtectSystem strict, add missing
 SystemCallFilters

ReadWritePaths now gets the directory of zone files
---
 nixos/modules/services/networking/bind.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/nixos/modules/services/networking/bind.nix b/nixos/modules/services/networking/bind.nix
index 1192645c2472..50f267bc1f02 100644
--- a/nixos/modules/services/networking/bind.nix
+++ b/nixos/modules/services/networking/bind.nix
@@ -279,7 +279,7 @@ in
         RuntimeDirectoryPreserve = "yes";
         ConfigurationDirectory = "bind";
         ReadWritePaths = [
-          (lib.mapAttrsToList (name: config: "-${config.file}") cfg.zones)
+          (lib.mapAttrsToList (name: config: if (lib.hasPrefix "/" config.file) then ("-${dirOf config.file}") else "") cfg.zones)
           cfg.directory
         ];
         CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
@@ -287,7 +287,7 @@ in
         # Security
         NoNewPrivileges = true;
         # Sandboxing
-        ProtectSystem = "full";
+        ProtectSystem = "strict";
         ReadOnlyPaths = "/sys";
         ProtectHome = true;
         PrivateTmp = true;
@@ -310,7 +310,7 @@ in
         RestrictNamespaces = true;
         # System Call Filtering
         SystemCallArchitectures = "native";
-        SystemCallFilter = "~@mount @debug @clock @reboot acct modify_ldt add_key adjtimex clock_adjtime delete_module fanotify_init finit_module get_mempolicy init_module io_destroy io_getevents iopl ioperm io_setup io_submit io_cancel kcmp kexec_load keyctl lookup_dcookie migrate_pages move_pages open_by_handle_at perf_event_open process_vm_readv process_vm_writev ptrace remap_file_pages request_key set_mempolicy swapoff swapon uselib vmsplice";
+        SystemCallFilter = "~@mount @debug @clock @reboot @resources @privileged @obsolete acct modify_ldt add_key adjtimex clock_adjtime delete_module fanotify_init finit_module get_mempolicy init_module io_destroy io_getevents iopl ioperm io_setup io_submit io_cancel kcmp kexec_load keyctl lookup_dcookie migrate_pages move_pages open_by_handle_at perf_event_open process_vm_readv process_vm_writev ptrace remap_file_pages request_key set_mempolicy swapoff swapon uselib vmsplice";
       };
 
       unitConfig.Documentation = "man:named(8)";