Commit 3d30811d authored by Felix Singer's avatar Felix Singer
Browse files

nixos/gerrit: Apply initial hardening using the systemd unit 



These options are a good start for sandboxing the service. It's planned
to set `ProtectSystem` to `strict` instead of `full`, but that requires
specific directories to be configured as writable. It's also planned to
filter system calls. However, that requires more testing but it
shouldn't prevent us from applying these options for now and add others
later.

Signed-off-by: default avatarFelix Singer <felixsinger@posteo.net>
parent 6b955bdb

nixos/modules/services/web-apps/gerrit.nix

+21 −0
Original line number Diff line number Diff line
@@ -222,6 +222,27 @@ in 
        StandardOutput = "journal";

        StateDirectory = "gerrit";

        WorkingDirectory = "%S/gerrit";

        AmbientCapabilities = "";

        CapabilityBoundingSet = "";

        LockPersonality = true;

        NoNewPrivileges = true;

        PrivateDevices = true;

        PrivateTmp = true;

        ProtectClock = true;

        ProtectControlGroups = true;

        ProtectHome = true;

        ProtectHostname = true;

        ProtectKernelLogs = true;

        ProtectKernelModules = true;

        ProtectKernelTunables = true;

        ProtectProc = "noaccess";

        ProtectSystem = "full";

        RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];

        RestrictNamespaces = true;

        RestrictRealtime = true;

        RestrictSUIDSGID = true;

        SystemCallArchitectures = "native";

        UMask = 027;

      };

    };

  };