From 906f2d55946c74d03d05013d412de1aa98f88378 Mon Sep 17 00:00:00 2001 From: Alf Helge Jakobsen Date: Sat, 9 Nov 2024 21:46:32 +0100 Subject: [PATCH 1/2] Update fetch-gallery.nix with hardening configs --- .../services/website/fetch-gallery.nix | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/hosts/bekkalokk/services/website/fetch-gallery.nix b/hosts/bekkalokk/services/website/fetch-gallery.nix index fba76a9..bd13460 100644 --- a/hosts/bekkalokk/services/website/fetch-gallery.nix +++ b/hosts/bekkalokk/services/website/fetch-gallery.nix @@ -62,6 +62,33 @@ in { WorkingDirectory = galleryDir; User = config.services.pvv-nettsiden.user; Group = config.services.pvv-nettsiden.group; + + AmbientCapabilities = [ "" ]; + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "" ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; # disable for third party rotate scripts + PrivateDevices = true; + #PrivateNetwork = true; # disable for mail delivery + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; # disable for userdir logs + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "full"; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; # disable for creating setgid directories + #SocketBindDeny = [ "any" ]; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + ]; }; }; } -- 2.44.2 From de90a8e827617e768c0d78e4c7507be59ced8bff Mon Sep 17 00:00:00 2001 From: Alf Helge Jakobsen Date: Sat, 9 Nov 2024 21:58:38 +0100 Subject: [PATCH 2/2] Disable network because tar file is pushed from Microbel separately --- hosts/bekkalokk/services/website/fetch-gallery.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/bekkalokk/services/website/fetch-gallery.nix b/hosts/bekkalokk/services/website/fetch-gallery.nix index bd13460..a96d70e 100644 --- a/hosts/bekkalokk/services/website/fetch-gallery.nix +++ b/hosts/bekkalokk/services/website/fetch-gallery.nix @@ -70,7 +70,7 @@ in { MemoryDenyWriteExecute = true; NoNewPrivileges = true; # disable for third party rotate scripts PrivateDevices = true; - #PrivateNetwork = true; # disable for mail delivery + PrivateNetwork = true; # disable for mail delivery PrivateTmp = true; ProtectClock = true; ProtectControlGroups = true; @@ -84,7 +84,7 @@ in { RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; # disable for creating setgid directories - #SocketBindDeny = [ "any" ]; + SocketBindDeny = [ "any" ]; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" -- 2.44.2