movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-14 06:00:33 +03:00
Code Activity

nixos/zipline: improve systemd hardening

Browse source
This commit is contained in:
Defelo 2025-03-04 22:12:09 +01:00
parent 0deb1b285f
commit ef19fcf725
No known key found for this signature in database
GPG key ID: 2A05272471204DD3
1 changed files with 11 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

17
nixos/modules/services/web-apps/zipline.nix
View file

@ -107,9 +107,11 @@ in
ExecStart = lib.getExe cfg.package;
# Hardening
AmbientCapabilities = "";
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
DevicePolicy = "closed";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
@ -123,15 +125,18 @@ in
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RemoveIPC = true;
RestrictAddressFamilies = [ "AF_INET AF_INET6 AF_UNIX AF_NETLINK" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"~@privileged"
"~@resources"
];
UMask = "0077";
};
};
};