Loading nixos/doc/manual/release-notes/rl-2009.xml +6 −0 Original line number Diff line number Diff line Loading @@ -1059,6 +1059,12 @@ services.transmission.settings.rpc-bind-address = "0.0.0.0"; removed, as it depends on libraries from deepin. </para> </listitem> <listitem> <para> The <literal>opendkim</literal> module now uses systemd sandboxing features to limit the exposure of the system towards the opendkim service. </para> </listitem> </itemizedlist> </section> </section> nixos/modules/services/mail/opendkim.nix +30 −0 Original line number Diff line number Diff line Loading @@ -129,6 +129,36 @@ in { User = cfg.user; Group = cfg.group; RuntimeDirectory = optional (cfg.socket == defaultSock) "opendkim"; StateDirectory = "opendkim"; StateDirectoryMode = "0700"; ReadWritePaths = [ cfg.keyPath ]; AmbientCapabilities = []; CapabilityBoundingSet = []; DevicePolicy = "closed"; LockPersonality = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; PrivateDevices = true; PrivateMounts = true; PrivateTmp = true; PrivateUsers = true; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectSystem = "strict"; RemoveIPC = true; RestrictAddressFamilies = [ "AF_INET" "AF_INET6 AF_UNIX" ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@privileged @resources" ]; UMask = "0077"; }; }; Loading Loading
nixos/doc/manual/release-notes/rl-2009.xml +6 −0 Original line number Diff line number Diff line Loading @@ -1059,6 +1059,12 @@ services.transmission.settings.rpc-bind-address = "0.0.0.0"; removed, as it depends on libraries from deepin. </para> </listitem> <listitem> <para> The <literal>opendkim</literal> module now uses systemd sandboxing features to limit the exposure of the system towards the opendkim service. </para> </listitem> </itemizedlist> </section> </section>
nixos/modules/services/mail/opendkim.nix +30 −0 Original line number Diff line number Diff line Loading @@ -129,6 +129,36 @@ in { User = cfg.user; Group = cfg.group; RuntimeDirectory = optional (cfg.socket == defaultSock) "opendkim"; StateDirectory = "opendkim"; StateDirectoryMode = "0700"; ReadWritePaths = [ cfg.keyPath ]; AmbientCapabilities = []; CapabilityBoundingSet = []; DevicePolicy = "closed"; LockPersonality = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; PrivateDevices = true; PrivateMounts = true; PrivateTmp = true; PrivateUsers = true; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectSystem = "strict"; RemoveIPC = true; RestrictAddressFamilies = [ "AF_INET" "AF_INET6 AF_UNIX" ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@privileged @resources" ]; UMask = "0077"; }; }; Loading
