greg/nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

service hardening: add more restrictions

Browse Source 
Add RestrictSUIDSGID
Add RemoveIPC
Add RestrictRealtime
Add ProtectHostname
This commit is contained in:
nixbitcoin 2020-05-06 10:19:14 +02:00
parent 3fbfa98635
commit ccc3a70344
No known key found for this signature in database
GPG Key ID: DD11F9AD5308B3BA
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
modules/nix-bitcoin-services.nix
View File

@ -21,6 +21,10 @@ with lib;
LockPersonality = "true"; LockPersonality = "true";
IPAddressDeny = "any"; IPAddressDeny = "any";
PrivateUsers = "true"; PrivateUsers = "true";
RestrictSUIDSGID = "true";
RemoveIPC = "true";
RestrictRealtime = "true";
ProtectHostname = "true";
CapabilityBoundingSet = ""; CapabilityBoundingSet = "";
# @system-service whitelist and docker seccomp blacklist (except for "clone" # @system-service whitelist and docker seccomp blacklist (except for "clone"
# which is a core requirement for systemd services) # which is a core requirement for systemd services)