faukah/nichts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

wayneko/module.nix: more systemd hardening tweaks

Browse source
This commit is contained in:
Bloxx12 2025-04-09 15:31:18 +02:00
commit 824e30fc7c
1 changed files with 3 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

9
modules/services/wayneko/module.nix
View file

@ -31,10 +31,11 @@ in {
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectControlGroup = true;
ProtectHome = "true";
ProtectHome = "read-only";
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
@ -48,11 +49,7 @@ in {
SystemCallArchitectures = ["native"];
SystemCallFilter = [
"@system-service"
"~@privileged"
"~@resources"
];
SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap @privileged";
};
};
}