From 1d3f3a4ecac875728f2ca9f910ec8d27f2c728fd Mon Sep 17 00:00:00 2001
From: Dmitriy Kholkin <ataraxiadev@ataraxiadev.com>
Date: Sun, 7 Jul 2024 17:01:25 +0300
Subject: [PATCH] harden kiwix-serve service

---
 modules/kiwix-serve.nix | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/modules/kiwix-serve.nix b/modules/kiwix-serve.nix
index 664e9d2..90ff9a2 100644
--- a/modules/kiwix-serve.nix
+++ b/modules/kiwix-serve.nix
@@ -68,7 +68,7 @@ in
 
         AmbientCapabilities   = [""] ++ lib.optional bindsPrivilegedPort "CAP_NET_BIND_SERVICE";
         CapabilityBoundingSet = [""] ++ lib.optional bindsPrivilegedPort "CAP_NET_BIND_SERVICE";
-        DeviceAllow = "";
+        DevicePolicy = "closed";
         DynamicUser = true;
         LockPersonality = true;
         MemoryDenyWriteExecute = true;
@@ -86,7 +86,7 @@ in
         ProtectKernelLogs = true;
         ProtectKernelModules = true;
         ProtectKernelTunables = true;
-        ProtectProc = "noaccess";
+        ProtectProc = "invisible";
         ProtectSystem = "strict";
         RemoveIPC = true;
         RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ];
@@ -94,8 +94,9 @@ in
         RestrictRealtime = true;
         RestrictSUIDSGID = true;
         SystemCallArchitectures = "native";
-        SystemCallFilter = [];
+        SystemCallFilter = [ "@system-service" "~@privileged" ];
         SystemCallErrorNumber = "EPERM";
+        UMask = "0002";
       };
     };
   };