faukah/nichts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

wayneko/module.nix: extra hardening

Browse source
This commit is contained in:
Bloxx12 2025-04-09 15:31:18 +02:00
commit 57af25abe7
1 changed files with 15 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

22
modules/services/wayneko/module.nix
View file

@ -1,5 +1,4 @@
{ {
config,
lib, lib,
pkgs, pkgs,
... ...
@ -22,29 +21,38 @@ in {
RestartSec = 1; RestartSec = 1;
TimeoutStopSec = 10; TimeoutStopSec = 10;
CapabilityBoundingSet = [""];
DevicePolicy = "closed";
LockPersonality = true; LockPersonality = true;
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
NoNewPrivileges = true; NoNewPrivileges = true;
PrivateTmp = true;
PrivateDevices = true; PrivateDevices = true;
DevicePolicy = "closed";
PrivateNetwork = true; PrivateNetwork = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true; ProtectClock = true;
ProtectControlGroups = true; ProtectControlGroups = true;
ProtectControlGroup = true; ProtectControlGroup = true;
ProtectHome = "true";
ProtectHostname = true;
ProtectKernelLogs = true; ProtectKernelLogs = true;
ProtectKernelModules = true; ProtectKernelModules = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict"; ProtectSystem = "strict";
ProtectHome = "read-only";
RestrictNamespaces = true; RestrictNamespaces = true;
RestrictRealtime = true; RestrictRealtime = true;
RestrictRealTime = true; RestrictRealTime = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap"; SystemCallArchitectures = ["native"];
SystemCallFilter = [
"@system-service"
"~@privileged"
"~@resources"
];
}; };
}; };
} }