movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-14 06:00:33 +03:00
Code Activity

nixos/fail2ban: enable sandboxing

Browse source
This commit is contained in:
Izorkin 2019-12-23 14:58:02 +03:00
parent f1d7dfe29f
commit 96e2669114
1 changed files with 19 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

24
nixos/modules/services/security/fail2ban.nix
View file

@ -250,12 +250,26 @@ in
Type = "simple"; Type = "simple";
Restart = "on-failure"; Restart = "on-failure";
PIDFile = "/run/fail2ban/fail2ban.pid"; PIDFile = "/run/fail2ban/fail2ban.pid";
# Capabilities
ReadOnlyDirectories = "/"; CapabilityBoundingSet = [ "CAP_AUDIT_READ" "CAP_DAC_READ_SEARCH" "CAP_NET_ADMIN" "CAP_NET_RAW" ];
ReadWriteDirectories = "/run/fail2ban /var/tmp /var/lib"; # Security
PrivateTmp = "true"; NoNewPrivileges = true;
# Directory
RuntimeDirectory = "fail2ban"; RuntimeDirectory = "fail2ban";
CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW"; RuntimeDirectoryMode = "0750";
StateDirectory = "fail2ban";
StateDirectoryMode = "0750";
LogsDirectory = "fail2ban";
LogsDirectoryMode = "0750";
# Sandboxing
ProtectSystem = "strict";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
ProtectHostname = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
}; };
}; };