Loading nixos/modules/services/networking/avahi-daemon.nix +41 −0 Original line number Diff line number Diff line Loading @@ -317,6 +317,47 @@ in Type = "dbus"; ExecStart = "${cfg.package}/sbin/avahi-daemon --syslog -f ${avahiDaemonConf}"; ConfigurationDirectory = "avahi/services"; # Hardening CapabilityBoundingSet = [ # https://github.com/avahi/avahi/blob/v0.9-rc1/avahi-daemon/caps.c#L38 "CAP_SYS_CHROOT" "CAP_SETUID" "CAP_SETGID" ]; DevicePolicy = "closed"; LockPersonality = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; PrivateDevices = true; PrivateTmp = true; PrivateUsers = false; ProcSubset = "pid"; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "invisible"; ProtectSystem = "strict"; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" "AF_UNIX" ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@privileged" "@chown setgroups setresuid" ]; UMask = "0077"; }; }; Loading nixos/tests/avahi.nix +2 −0 Original line number Diff line number Diff line Loading @@ -75,5 +75,7 @@ import ./make-test-python.nix { one.succeed("test `wc -l < out` -gt 0") two.succeed("avahi-browse -r -t _ssh._tcp | tee out >&2") two.succeed("test `wc -l < out` -gt 0") one.log(one.execute("systemd-analyze security avahi-daemon.service | grep -v ✓")[1]) ''; } args Loading
nixos/modules/services/networking/avahi-daemon.nix +41 −0 Original line number Diff line number Diff line Loading @@ -317,6 +317,47 @@ in Type = "dbus"; ExecStart = "${cfg.package}/sbin/avahi-daemon --syslog -f ${avahiDaemonConf}"; ConfigurationDirectory = "avahi/services"; # Hardening CapabilityBoundingSet = [ # https://github.com/avahi/avahi/blob/v0.9-rc1/avahi-daemon/caps.c#L38 "CAP_SYS_CHROOT" "CAP_SETUID" "CAP_SETGID" ]; DevicePolicy = "closed"; LockPersonality = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; PrivateDevices = true; PrivateTmp = true; PrivateUsers = false; ProcSubset = "pid"; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "invisible"; ProtectSystem = "strict"; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" "AF_UNIX" ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@privileged" "@chown setgroups setresuid" ]; UMask = "0077"; }; }; Loading
nixos/tests/avahi.nix +2 −0 Original line number Diff line number Diff line Loading @@ -75,5 +75,7 @@ import ./make-test-python.nix { one.succeed("test `wc -l < out` -gt 0") two.succeed("avahi-browse -r -t _ssh._tcp | tee out >&2") two.succeed("test `wc -l < out` -gt 0") one.log(one.execute("systemd-analyze security avahi-daemon.service | grep -v ✓")[1]) ''; } args
