pyrox.dev / nixpkgs
lol
fork atom

nixos/jenkins: Apply hardening options (#435751)

Niklas Korz 2d5317c1 06b6bbc1

options
unified split
Changed files
+27
nixos
modules
services
continuous-integration
jenkins
default.nix
+27
nixos/modules/services/continuous-integration/jenkins/default.nix 
···

       
254

       
254

       
 

       
        StateDirectory = lib.mkIf (lib.hasPrefix "/var/lib/jenkins" cfg.home) "jenkins";


     

       
255

       
255

       
 

       
        # For (possible) socket use


     

       
256

       
256

       
 

       
        RuntimeDirectory = "jenkins";


     

       

       
257

       
+

       
        AmbientCapabilities = "";


     

       

       
258

       
+

       
        CapabilityBoundingSet = "";


     

       

       
259

       
+

       
        LockPersonality = true;


     

       

       
260

       
+

       
        # MemoryDenyWriteExecute = false;   Breaks execution;


     

       

       
261

       
+

       
        NoNewPrivileges = true;


     

       

       
262

       
+

       
        PrivateDevices = true;


     

       

       
263

       
+

       
        PrivateMounts = true;


     

       

       
264

       
+

       
        PrivateTmp = true;


     

       

       
265

       
+

       
        ProtectClock = true;


     

       

       
266

       
+

       
        ProtectControlGroups = true;


     

       

       
267

       
+

       
        ProtectHome = true;


     

       

       
268

       
+

       
        ProtectHostname = true;


     

       

       
269

       
+

       
        ProtectKernelLogs = true;


     

       

       
270

       
+

       
        ProtectKernelModules = true;


     

       

       
271

       
+

       
        ProtectKernelTunables = true;


     

       

       
272

       
+

       
        ProtectSystem = "full";


     

       

       
273

       
+

       
        RemoveIPC = true;


     

       

       
274

       
+

       
        RestrictAddressFamilies = [


     

       

       
275

       
+

       
          "AF_UNIX"


     

       

       
276

       
+

       
          "AF_INET"


     

       

       
277

       
+

       
          "AF_INET6"


     

       

       
278

       
+

       
        ];


     

       

       
279

       
+

       
        RestrictNamespaces = true;


     

       

       
280

       
+

       
        RestrictRealtime = true;


     

       

       
281

       
+

       
        RestrictSUIDSGID = true;


     

       

       
282

       
+

       
        SystemCallArchitectures = "native";


     

       

       
283

       
+

       
        UMask = 27;


     

       
257

       
284

       
 

       
      };


     

       
258

       
285

       
 

       
    };


     

       
259

       
286

       
 

       
  };