Grimmauld/grimm-nixos-laptop
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
grimm-nixos-laptop/hardening/systemd/tty.nix
Grimmauld dbbe60d0d2
improve getty coverage
2025-01-11 14:41:03 +01:00

47 lines
1 KiB
Nix
Raw Blame History

{ lib, config, ... }:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
"getty@".serviceConfig = {
CapabilityBoundingSet = [
"CAP_CHOWN"
"CAP_FOWNER"
"CAP_FSETID"
"CAP_SETGID"
"CAP_SETUID"
"CAP_SYS_NICE"
"CAP_SYS_RESOURCE"
"CAP_SYS_TTY_CONFIG"
];
# NoNewPrivileges = true;
RestrictNamespaces = [
"~pid"
"~user"
"~net"
"~uts"
"~mnt"
"~cgroup"
"~ipc"
];
ProtectControlGroups = true;
ProtectHome = false;
# ProtectClock = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
MemoryDenyWriteExecute = true;
# RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = lib.mkForce "@system-service";
LockPersonality = true;
ProtectProc = "invisible";
# PrivateUsers=true;
PrivateNetwork = true;
RestrictAddressFamilies = "AF_UNIX";
# ProtectSystem=true;
};
};
}
Reference in a new issue View git blame Copy permalink