Loading nixos/modules/services/misc/redlib.nix +42 −0 Original line number Diff line number Diff line Loading @@ -95,6 +95,47 @@ in environment = mapAttrs (_: v: if isBool v then boolToString' v else toString v) cfg.settings; serviceConfig = { # Hardening LockPersonality = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; PrivateDevices = true; PrivateIPC = true; PrivateTmp = true; ProcSubset = "pid"; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "invisible"; ProtectSystem = "full"; RemoveIPC = true; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; SystemCallFilter = [ "~@mount" "~@swap" "~@resources" "~@reboot" "~@raw-io" "~@obsolete" "~@module" "~@debug" "~@cpu-emulation" "~@clock" "~@privileged" ]; UMask = "0027"; ExecStart = [ "" "${lib.getExe cfg.package} ${args}" Loading @@ -111,6 +152,7 @@ in # A private user cannot have process capabilities on the host's user # namespace and thus CAP_NET_BIND_SERVICE has no effect. PrivateUsers = true; CapabilityBoundingSet = false; } ); }; Loading Loading
nixos/modules/services/misc/redlib.nix +42 −0 Original line number Diff line number Diff line Loading @@ -95,6 +95,47 @@ in environment = mapAttrs (_: v: if isBool v then boolToString' v else toString v) cfg.settings; serviceConfig = { # Hardening LockPersonality = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; PrivateDevices = true; PrivateIPC = true; PrivateTmp = true; ProcSubset = "pid"; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "invisible"; ProtectSystem = "full"; RemoveIPC = true; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; SystemCallFilter = [ "~@mount" "~@swap" "~@resources" "~@reboot" "~@raw-io" "~@obsolete" "~@module" "~@debug" "~@cpu-emulation" "~@clock" "~@privileged" ]; UMask = "0027"; ExecStart = [ "" "${lib.getExe cfg.package} ${args}" Loading @@ -111,6 +152,7 @@ in # A private user cannot have process capabilities on the host's user # namespace and thus CAP_NET_BIND_SERVICE has no effect. PrivateUsers = true; CapabilityBoundingSet = false; } ); }; Loading
