foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-01-31 10:58:02 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

services/vouch-proxy: add some more hardening options

Browse Source
This commit is contained in:
Gabriel Arazas 2023-10-09 20:46:06 +08:00
parent 2dbb3ed68c
commit 7d55e45f70
No known key found for this signature in database
GPG Key ID: ADE0C41DAB221FCC
1 changed files with 13 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
modules/nixos/services/vouch-proxy.nix
View File

@ -84,7 +84,12 @@ let
StartLimitInterval = "60s"; StartLimitInterval = "60s";
StartLimitBurst = 3; StartLimitBurst = 3;
PrivateUsers = true;
PrivateTmp = true;
PrivateDevices = true;
LockPersonality = true; LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true; NoNewPrivileges = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
RestrictRealtime = true; RestrictRealtime = true;
@ -97,7 +102,14 @@ let
ProtectProc = "invisible"; ProtectProc = "invisible";
ProcSubset = "pid"; ProcSubset = "pid";
SystemCallFilter = [ "@system-service" ]; SystemCallFilter = [
"@system-service"
"~@cpu-emulation"
"~@keyring"
"~@module"
"~@privileged"
"~@reboot"
];
SystemCallErrorNumber = "EPERM"; SystemCallErrorNumber = "EPERM";
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
@ -111,13 +123,9 @@ let
# Limit this service to Unix sockets and IPs. # Limit this service to Unix sockets and IPs.
RestrictAddressFamilies = [ RestrictAddressFamilies = [
"AF_LOCAL" "AF_LOCAL"
# The internet class families.
"AF_INET" "AF_INET"
"AF_INET6" "AF_INET6"
]; ];
# Restrict what namespaces it can create which is none.
RestrictNamespaces = true; RestrictNamespaces = true;
}; };
}; };