faukah/nichts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

wayneko/module.nix: more systemd hardening tweaks

Browse source
This commit is contained in:
Bloxx12 2025-04-09 15:31:18 +02:00
commit 824e30fc7c
1 changed files with 3 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

9
modules/services/wayneko/module.nix
View file

@ -31,10 +31,11 @@ in {
PrivateTmp = true; PrivateTmp = true;
PrivateUsers = true; PrivateUsers = true;
ProcSubset = "pid"; ProcSubset = "pid";
ProtectClock = true; ProtectClock = true;
ProtectControlGroups = true; ProtectControlGroups = true;
ProtectControlGroup = true; ProtectControlGroup = true;
ProtectHome = "true"; ProtectHome = "read-only";
ProtectHostname = true; ProtectHostname = true;
ProtectKernelLogs = true; ProtectKernelLogs = true;
ProtectKernelModules = true; ProtectKernelModules = true;
@ -48,11 +49,7 @@ in {
SystemCallArchitectures = ["native"]; SystemCallArchitectures = ["native"];
SystemCallFilter = [ SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap @privileged";
"@system-service"
"~@privileged"
"~@resources"
];
}; };
}; };
} }