Commit 81e2494e authored by Felix Singer's avatar Felix Singer
Browse files

nixos/jenkins: Set ProtectSystem to strict 

Protect most files and directories from being read or written by setting
ProtectSystem to strict. Exclude the Jenkins state directory from that
protection.

https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#ProtectSystem=



Signed-off-by: default avatarFelix Singer <felixsinger@posteo.net>
parent 2d027a41

nixos/modules/services/continuous-integration/jenkins/default.nix

+4 −1
Original line number Diff line number Diff line
@@ -275,7 +275,10 @@ in 
        ProtectKernelModules = true;

        ProtectKernelTunables = true;

        ProtectProc = "invisible";

        ProtectSystem = "full";

        ProtectSystem = "strict";

        ReadWritePaths = [

          cfg.home

        ];

        RemoveIPC = true;

        RestrictAddressFamilies = [

          "AF_UNIX"