AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

harden kiwix-serve service

Browse Source
This commit is contained in:
Dmitriy Kholkin 2024-07-07 17:01:25 +03:00
parent 5b670652ef
commit 1d3f3a4eca
Signed by: AtaraxiaDev
GPG Key ID: FD266B810DF48DF2
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
modules/kiwix-serve.nix
View File

@ -68,7 +68,7 @@ in
AmbientCapabilities = [""] ++ lib.optional bindsPrivilegedPort "CAP_NET_BIND_SERVICE"; AmbientCapabilities = [""] ++ lib.optional bindsPrivilegedPort "CAP_NET_BIND_SERVICE";
CapabilityBoundingSet = [""] ++ lib.optional bindsPrivilegedPort "CAP_NET_BIND_SERVICE"; CapabilityBoundingSet = [""] ++ lib.optional bindsPrivilegedPort "CAP_NET_BIND_SERVICE";
DeviceAllow = ""; DevicePolicy = "closed";
DynamicUser = true; DynamicUser = true;
LockPersonality = true; LockPersonality = true;
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
@ -86,7 +86,7 @@ in
ProtectKernelLogs = true; ProtectKernelLogs = true;
ProtectKernelModules = true; ProtectKernelModules = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;
ProtectProc = "noaccess"; ProtectProc = "invisible";
ProtectSystem = "strict"; ProtectSystem = "strict";
RemoveIPC = true; RemoveIPC = true;
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ]; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ];
@ -94,8 +94,9 @@ in
RestrictRealtime = true; RestrictRealtime = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallFilter = []; SystemCallFilter = [ "@system-service" "~@privileged" ];
SystemCallErrorNumber = "EPERM"; SystemCallErrorNumber = "EPERM";
UMask = "0002";
}; };
}; };
}; };