62 lines
1.4 KiB
Nix
62 lines
1.4 KiB
Nix
{
|
|
lib,
|
|
config,
|
|
...
|
|
}:
|
|
{
|
|
config.systemd.services = lib.mkIf (config.specialisation != { }) {
|
|
dbus-broker.serviceConfig = {
|
|
DevicePolicy = "closed";
|
|
KeyringMode = "private";
|
|
LockPersonality = true;
|
|
MemoryDenyWriteExecute = true;
|
|
NoNewPrivileges = true;
|
|
PrivateDevices = true;
|
|
PrivateTmp = true;
|
|
ProtectClock = true;
|
|
ProtectControlGroups = true;
|
|
ProtectHome = "read-only";
|
|
ProtectHostname = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelTunables = true;
|
|
ProtectProc = "invisible";
|
|
ProtectSystem = "full";
|
|
RestrictRealtime = true;
|
|
RestrictSUIDSGID = true;
|
|
SystemCallArchitectures = "native";
|
|
|
|
RestrictAddressFamilies = [
|
|
# "AF_INET"
|
|
# "AF_INET6"
|
|
"AF_UNIX"
|
|
];
|
|
RestrictNamespaces = [
|
|
"~pid"
|
|
"~user"
|
|
"~net"
|
|
"~uts"
|
|
"~mnt"
|
|
"~cgroup"
|
|
"~ipc"
|
|
];
|
|
SystemCallFilter = [
|
|
"@system-service"
|
|
"@privileged"
|
|
];
|
|
|
|
PrivateMounts = true;
|
|
|
|
# CapabilityBoundingSet = [
|
|
# "CAP_NET_BIND_SERVICE"
|
|
# "CAP_SETGID"
|
|
# "CAP_SETUID"
|
|
# "CAP_SYS_CHROOT"
|
|
# "cap_dac_override"
|
|
# ];
|
|
|
|
# PrivateUsers = false; # important
|
|
# PrivateNetwork = false; # important
|
|
};
|
|
};
|
|
}
|