greg/nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

services: improve default hardening

Browse Source
This commit is contained in:
nixbitcoin 2021-01-30 23:08:38 +01:00
parent 3b938a909f
commit d56a363d3d
No known key found for this signature in database
GPG Key ID: B6044ECBA2DAE5D0
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pkgs/lib.nix
View File

@ -15,6 +15,11 @@ let self = {
MemoryDenyWriteExecute = "true"; MemoryDenyWriteExecute = "true";
ProtectKernelTunables = "true"; ProtectKernelTunables = "true";
ProtectKernelModules = "true"; ProtectKernelModules = "true";
ProtectKernelLogs = "true";
ProtectClock = "true";
# Test and enable these when systemd v247 is available
# ProtectProc = "invisible";
# ProcSubset = "pid";
ProtectControlGroups = "true"; ProtectControlGroups = "true";
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
RestrictNamespaces = "true"; RestrictNamespaces = "true";