pyrox.dev / nixpkgs
lol
fork atom

nixos/echoip: improve systemd hardening

Defelo eccf6388 110b3af9

options
unified split
Changed files
+13 -6
nixos
modules
services
web-apps
echoip.nix
+13 -6
nixos/modules/services/web-apps/echoip.nix 
···

       
75

       
75

       
 

       
        );


     

       
76

       
76

       
 

       



     

       
77

       
77

       
 

       
        # Hardening


     

       

       
78

       
+

       
        AmbientCapabilities = "";


     

       
78

       
79

       
 

       
        CapabilityBoundingSet = [ "" ];


     

       
79

       

       
-

       
        DeviceAllow = [ "" ];


     

       

       
80

       
+

       
        DevicePolicy = "closed";


     

       
80

       
81

       
 

       
        LockPersonality = true;


     

       

       
82

       
+

       
        MemoryDenyWriteExecute = true;


     

       

       
83

       
+

       
        NoNewPrivileges = true;


     

       
81

       
84

       
 

       
        PrivateDevices = true;


     

       
82

       
85

       
 

       
        PrivateTmp = true;


     

       
83

       
86

       
 

       
        PrivateUsers = true;


     
···

       
91

       
94

       
 

       
        ProtectKernelTunables = true;


     

       
92

       
95

       
 

       
        ProtectProc = "invisible";


     

       
93

       
96

       
 

       
        ProtectSystem = "strict";


     

       
94

       

       
-

       
        RestrictAddressFamilies = [


     

       
95

       

       
-

       
          "AF_INET"


     

       
96

       

       
-

       
          "AF_INET6"


     

       
97

       

       
-

       
          "AF_UNIX"


     

       
98

       

       
-

       
        ];


     

       

       
97

       
+

       
        RemoveIPC = true;


     

       

       
98

       
+

       
        RestrictAddressFamilies = [ "AF_INET AF_INET6 AF_UNIX" ];


     

       
99

       
99

       
 

       
        RestrictNamespaces = true;


     

       
100

       
100

       
 

       
        RestrictRealtime = true;


     

       
101

       
101

       
 

       
        RestrictSUIDSGID = true;


     

       
102

       
102

       
 

       
        SystemCallArchitectures = "native";


     

       

       
103

       
+

       
        SystemCallFilter = [


     

       

       
104

       
+

       
          "@system-service"


     

       

       
105

       
+

       
          "~@privileged"


     

       

       
106

       
+

       
          "~@resources"


     

       

       
107

       
+

       
          "setrlimit"


     

       

       
108

       
+

       
        ];


     

       

       
109

       
+

       
        UMask = "0077";


     

       
103

       
110

       
 

       
      };


     

       
104

       
111

       
 

       
    };


     

       
105

       
112