pyrox.dev / nixpkgs
lol
fork atom

nixos/geoipupdate: Add stricter service security

talyz 7cc39b13 41c82cd5

options
unified split
Changed files
+20
nixos
modules
services
misc
geoipupdate.nix
+20
nixos/modules/services/misc/geoipupdate.nix 
···

       
150

       
150

       
 

       
        ReadWritePaths = cfg.settings.DatabaseDirectory;


     

       
151

       
151

       
 

       
        RuntimeDirectory = "geoipupdate";


     

       
152

       
152

       
 

       
        RuntimeDirectoryMode = 0700;


     

       

       
153

       
+

       
        CapabilityBoundingSet = "";


     

       

       
154

       
+

       
        PrivateDevices = true;


     

       

       
155

       
+

       
        PrivateMounts = true;


     

       

       
156

       
+

       
        PrivateUsers = true;


     

       

       
157

       
+

       
        ProtectClock = true;


     

       

       
158

       
+

       
        ProtectControlGroups = true;


     

       

       
159

       
+

       
        ProtectHome = true;


     

       

       
160

       
+

       
        ProtectHostname = true;


     

       

       
161

       
+

       
        ProtectKernelLogs = true;


     

       

       
162

       
+

       
        ProtectKernelModules = true;


     

       

       
163

       
+

       
        ProtectKernelTunables = true;


     

       

       
164

       
+

       
        ProtectProc = "invisible";


     

       

       
165

       
+

       
        ProcSubset = "pid";


     

       

       
166

       
+

       
        SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];


     

       

       
167

       
+

       
        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];


     

       

       
168

       
+

       
        RestrictRealtime = true;


     

       

       
169

       
+

       
        RestrictNamespaces = true;


     

       

       
170

       
+

       
        MemoryDenyWriteExecute = true;


     

       

       
171

       
+

       
        LockPersonality = true;


     

       

       
172

       
+

       
        SystemCallArchitectures = "native";


     

       
153

       
173

       
 

       
      };


     

       
154

       
174

       
 

       
    };


     

       
155

       
175