nixos/unit: enable sanboxing
This commit is contained in:
parent
e8bb94fca9
commit
7443d9dfd4
@ -85,7 +85,7 @@ in {
|
||||
systemd.tmpfiles.rules = [
|
||||
"d '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -"
|
||||
"d '${cfg.logDir}' 0750 ${cfg.user} ${cfg.group} - -"
|
||||
];
|
||||
];
|
||||
|
||||
systemd.services.unit = {
|
||||
description = "Unit App Server";
|
||||
@ -99,17 +99,33 @@ in {
|
||||
curl -X PUT --data-binary '@${configFile}' --unix-socket '/run/unit/control.unit.sock' 'http://localhost/config'
|
||||
'';
|
||||
serviceConfig = {
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
AmbientCapabilities = "CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID";
|
||||
CapabilityBoundingSet = "CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID";
|
||||
ExecStart = ''
|
||||
${cfg.package}/bin/unitd --control 'unix:/run/unit/control.unit.sock' --pid '/run/unit/unit.pid' \
|
||||
--log '${cfg.logDir}/unit.log' --state '${cfg.stateDir}' --no-daemon \
|
||||
--user ${cfg.user} --group ${cfg.group}
|
||||
'';
|
||||
# User and group
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
# Capabilities
|
||||
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SETGID" "CAP_SETUID" ];
|
||||
# Security
|
||||
NoNewPrivileges = true;
|
||||
# Sanboxing
|
||||
ProtectSystem = "full";
|
||||
ProtectHome = true;
|
||||
RuntimeDirectory = "unit";
|
||||
RuntimeDirectoryMode = "0750";
|
||||
PrivateTmp = true;
|
||||
PrivateDevices = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectControlGroups = true;
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
RestrictRealtime = true;
|
||||
PrivateMounts = true;
|
||||
};
|
||||
};
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user