movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-12 12:45:27 +03:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #85567 from Izorkin/nginx-sandbox

Browse source
This commit is contained in:
Jörg Thalheim 2020-05-13 10:34:02 +01:00 committed by GitHub
commit 6c437ef1bb
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 110 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

29
nixos/modules/services/web-servers/nginx/default.nix
View file

@ -463,6 +463,14 @@ in
'';
};
enableSandbox = mkOption {
default = false;
type = types.bool;
description = ''
Starting Nginx web server with additional sandbox/hardening options.
'';
};
user = mkOption {
type = types.str;
default = "nginx";
@ -710,6 +718,27 @@ in
LogsDirectoryMode = "0750";
# Capabilities
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ];
# Security
NoNewPrivileges = true;
} // optionalAttrs cfg.enableSandbox {
# Sandboxing
ProtectSystem = "strict";
ProtectHome = mkDefault true;
PrivateTmp = true;
PrivateDevices = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
LockPersonality = true;
MemoryDenyWriteExecute = !(builtins.any (mod: (mod.allowMemoryWriteExecute or false)) pkgs.nginx.modules);
RestrictRealtime = true;
RestrictSUIDSGID = true;
PrivateMounts = true;
# System Call Filtering
SystemCallArchitectures = "native";
};
};