JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

nixos/babeld: update hardening

Browse Source
This commit is contained in:
Martin Weinelt 2021-06-20 13:52:03 +02:00
parent 34e5bf44fb
commit 8739f8cd7b
No known key found for this signature in database
GPG Key ID: 87C1E9888F856759
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
nixos/modules/services/networking/babeld.nix
View File

@ -104,6 +104,7 @@ in
ExecStart = "${pkgs.babeld}/bin/babeld -c ${configFile} -I /run/babeld/babeld.pid -S /var/lib/babeld/state"; ExecStart = "${pkgs.babeld}/bin/babeld -c ${configFile} -I /run/babeld/babeld.pid -S /var/lib/babeld/state";
AmbientCapabilities = [ "CAP_NET_ADMIN" ]; AmbientCapabilities = [ "CAP_NET_ADMIN" ];
CapabilityBoundingSet = [ "CAP_NET_ADMIN" ]; CapabilityBoundingSet = [ "CAP_NET_ADMIN" ];
DevicePolicy = "closed";
DynamicUser = true; DynamicUser = true;
IPAddressAllow = [ "fe80::/64" "ff00::/8" "::1/128" "127.0.0.0/8" ]; IPAddressAllow = [ "fe80::/64" "ff00::/8" "::1/128" "127.0.0.0/8" ];
IPAddressDeny = "any"; IPAddressDeny = "any";
@ -123,12 +124,17 @@ in
RemoveIPC = true; RemoveIPC = true;
ProtectHome = true; ProtectHome = true;
ProtectHostname = true; ProtectHostname = true;
ProtectProc = "invisible";
PrivateMounts = true; PrivateMounts = true;
PrivateTmp = true; PrivateTmp = true;
PrivateDevices = true; PrivateDevices = true;
PrivateUsers = false; # kernel_route(ADD): Operation not permitted PrivateUsers = false; # kernel_route(ADD): Operation not permitted
ProcSubset = "pid";
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" ]; SystemCallFilter = [
"@system-service"
"~@privileged @resources"
];
UMask = "0177"; UMask = "0177";
RuntimeDirectory = "babeld"; RuntimeDirectory = "babeld";
StateDirectory = "babeld"; StateDirectory = "babeld";