pyrox.dev / nixpkgs
lol
fork atom

nixos/logrotate: relax hardening (#345275)

Martin Weinelt 6710d0dd 27e93e30

options
unified split
Changed files
+5 -3
nixos
modules
services
logging
logrotate.nix
+5 -3
nixos/modules/services/logging/logrotate.nix 
···

       
260

       
260

       
 

       
        # hardening


     

       
261

       
261

       
 

       
        CapabilityBoundingSet = [


     

       
262

       
262

       
 

       
          "CAP_CHOWN"


     

       

       
263

       
+

       
          "CAP_DAC_OVERRIDE"


     

       

       
264

       
+

       
          "CAP_SETUID"


     

       
263

       
265

       
 

       
          "CAP_SETGID"


     

       
264

       
266

       
 

       
        ];


     

       
265

       
267

       
 

       
        DevicePolicy = "closed";


     
···

       
280

       
282

       
 

       
        ProtectSystem = "full";


     

       
281

       
283

       
 

       
        RestrictNamespaces = true;


     

       
282

       
284

       
 

       
        RestrictRealtime = true;


     

       
283

       

       
-

       
        RestrictSUIDSGID = true;


     

       

       
285

       
+

       
        RestrictSUIDSGID = false; # can create sgid directories


     

       
284

       
286

       
 

       
        SystemCallArchitectures = "native";


     

       
285

       
287

       
 

       
        SystemCallFilter = [


     

       
286

       

       
-

       
          "@system-service"


     

       

       
288

       
+

       
          "@system-service @setuid"


     

       
287

       
289

       
 

       
          "~@privileged @resources"


     

       
288

       
290

       
 

       
          "@chown"


     

       
289

       
291

       
 

       
        ];


     

       
290

       
292

       
 

       
        UMask = "0027";


     

       
291

       
293

       
 

       
      } // lib.optionalAttrs (!cfg.allowNetworking) {


     

       
292

       

       
-

       
        PrivateNetwork = true;


     

       

       
294

       
+

       
        PrivateNetwork = true; # e.g. mail delivery


     

       
293

       
295

       
 

       
        RestrictAddressFamilies = "none";


     

       
294

       
296

       
 

       
      };


     

       
295

       
297

       
 

       
    };