46 lines
1.8 KiB
Diff
46 lines
1.8 KiB
Diff
From 482bafe254f447040d10716a5e8cd6692b743994 Mon Sep 17 00:00:00 2001
|
|
From: Izorkin <izorkin@elven.pw>
|
|
Date: Sun, 1 Jan 2023 14:07:09 +0300
|
|
Subject: [PATCH] nixos/gitea: update sandboxing options
|
|
|
|
---
|
|
nixos/modules/services/misc/gitea.nix | 11 ++++++++---
|
|
1 file changed, 8 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix
|
|
index 00e90f5b32b47..d93bb393429de 100644
|
|
--- a/nixos/modules/services/misc/gitea.nix
|
|
+++ b/nixos/modules/services/misc/gitea.nix
|
|
@@ -567,7 +567,10 @@ in
|
|
Restart = "always";
|
|
# Runtime directory and mode
|
|
RuntimeDirectory = "gitea";
|
|
- RuntimeDirectoryMode = "0755";
|
|
+ RuntimeDirectoryMode = "0750";
|
|
+ # Proc filesystem
|
|
+ ProcSubset = "pid";
|
|
+ ProtectProc = "invisible";
|
|
# Access write directories
|
|
ReadWritePaths = [ cfg.dump.backupDir cfg.repositoryRoot cfg.stateDir cfg.lfs.contentDir ];
|
|
UMask = "0027";
|
|
@@ -587,15 +590,17 @@ in
|
|
ProtectKernelModules = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectControlGroups = true;
|
|
- RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
|
|
+ RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
|
|
+ RestrictNamespaces = true;
|
|
LockPersonality = true;
|
|
MemoryDenyWriteExecute = true;
|
|
RestrictRealtime = true;
|
|
RestrictSUIDSGID = true;
|
|
+ RemoveIPC = true;
|
|
PrivateMounts = true;
|
|
# System Call Filtering
|
|
SystemCallArchitectures = "native";
|
|
- SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @setuid @swap";
|
|
+ SystemCallFilter = [ "~@cpu-emulation @debug @keyring @memlock @mount @obsolete @privileged @resources @setuid" "setrlimit" ];
|
|
};
|
|
|
|
environment = {
|