Projects/greg-ng
Projects
/
greg-ng
7
0
Fork 0
Code Issues 24 Pull Requests Releases Activity

module.nix: relax hardening

This commit is contained in:
Oystein Kristoffer Tveit 2024-10-22 19:49:52 +02:00
parent 9934b11766
commit 355d2ad13d
Signed by: oysteikt
GPG Key ID: 9F2F7D8250F35146
1 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
module.nix
View File

@ -135,18 +135,20 @@ in
ProtectKernelModules = true; ProtectKernelModules = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;
ProtectProc = "invisible"; ProtectProc = "invisible";
ProtectSystem = "full"; # I'll figure it out sometime
# ProtectSystem = "full";
RemoveIPC = true; RemoveIPC = true;
UMask = "0077"; UMask = "0077";
RestrictNamespaces = true; RestrictNamespaces = true;
RestrictRealtime = true; RestrictRealtime = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallFilter = [ # Something brokey
"@system-service" # SystemCallFilter = [
"~@privileged" # "@system-service"
"~@resources" # "~@privileged"
]; # "~@resources"
# ];
}; };
}; };
}) })