From 57af25abe7cbea2e9d41e118679282dceba57706 Mon Sep 17 00:00:00 2001
From: Bloxx12 <charlie@charlieroot.dev>
Date: Wed, 9 Apr 2025 15:31:18 +0200
Subject: [PATCH] wayneko/module.nix: extra hardening

---
 modules/services/wayneko/module.nix | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/modules/services/wayneko/module.nix b/modules/services/wayneko/module.nix
index d3385e5..511304d 100644
--- a/modules/services/wayneko/module.nix
+++ b/modules/services/wayneko/module.nix
@@ -1,5 +1,4 @@
 {
-  config,
   lib,
   pkgs,
   ...
@@ -22,29 +21,38 @@ in {
       RestartSec = 1;
       TimeoutStopSec = 10;
 
+      CapabilityBoundingSet = [""];
+      DevicePolicy = "closed";
       LockPersonality = true;
       MemoryDenyWriteExecute = true;
       NoNewPrivileges = true;
-
-      PrivateTmp = true;
       PrivateDevices = true;
-      DevicePolicy = "closed";
       PrivateNetwork = true;
+      PrivateTmp = true;
+      PrivateUsers = true;
+      ProcSubset = "pid";
       ProtectClock = true;
       ProtectControlGroups = true;
       ProtectControlGroup = true;
+      ProtectHome = "true";
+      ProtectHostname = true;
       ProtectKernelLogs = true;
       ProtectKernelModules = true;
       ProtectKernelTunables = true;
+      ProtectProc = "invisible";
       ProtectSystem = "strict";
-      ProtectHome = "read-only";
-
       RestrictNamespaces = true;
       RestrictRealtime = true;
       RestrictRealTime = true;
       RestrictSUIDSGID = true;
 
-      SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap";
+      SystemCallArchitectures = ["native"];
+
+      SystemCallFilter = [
+        "@system-service"
+        "~@privileged"
+        "~@resources"
+      ];
     };
   };
 }