Unverified Commit 4ee53e65 authored by Adam C. Stephens's avatar Adam C. Stephens Committed by GitHub
Browse files

nixos/open-webui: add additional systemd hardening (#377884)

parents 98a58ea4 dea0cb06

nixos/modules/services/misc/open-webui.nix

+12 −0
Original line number Diff line number Diff line
@@ -120,6 +120,18 @@ in 
        RestrictRealtime = true;

        SystemCallArchitectures = "native";

        UMask = "0077";

        CapabilityBoundingSet = "";

        RestrictAddressFamilies = [

          "AF_INET"

          "AF_INET6"

          "AF_UNIX"

        ];

        ProtectClock = true;

        ProtectProc = "invisible";

        SystemCallFilter = [

          "@system-service"

          "~@privileged"

        ];

      };

    };