greg/nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix memory deny write execute for nodejs services

Browse Source
This commit is contained in:
Jonas Nick 2019-04-27 22:27:25 +00:00
parent a089d65d25
commit d9533edad1
No known key found for this signature in database
GPG Key ID: 4861DBF262123605
4 changed files with 15 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
modules/lightning-charge.nix
View File

@ -38,7 +38,7 @@ in {
User = "clightning"; User = "clightning";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
} // nix-bitcoin-services.defaultHardening; } // nix-bitcoin-services.nodeHardening;
}; };
}; };
} }

2
modules/nanopos.nix
View File

@ -74,7 +74,7 @@ in {
User = "nanopos"; User = "nanopos";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
} // nix-bitcoin-services.defaultHardening; } // nix-bitcoin-services.nodeHardening;
}; };
}; };
} }

13
modules/nix-bitcoin-services.nix
View File

@ -1,11 +1,22 @@
{ let
defaultHardening = { defaultHardening = {
PrivateTmp = "true"; PrivateTmp = "true";
ProtectSystem = "full"; ProtectSystem = "full";
ProtectHome = "true";
NoNewPrivileges = "true"; NoNewPrivileges = "true";
PrivateDevices = "true"; PrivateDevices = "true";
MemoryDenyWriteExecute = "true"; MemoryDenyWriteExecute = "true";
ProtectKernelTunables = "true";
ProtectKernelModules = "true";
ProtectControlGroups = "true";
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
LockPersonality = "true";
}; };
in
{
inherit defaultHardening;
# node applications apparently rely on memory write execute
nodeHardening = defaultHardening // { MemoryDenyWriteExecute = "false"; };
} }

2
modules/spark-wallet.nix
View File

@ -64,7 +64,7 @@ in {
User = "clightning"; User = "clightning";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
} // nix-bitcoin-services.defaultHardening; } // nix-bitcoin-services.nodeHardening;
}; };
}; };
} }