From 4ff9f663ebeacc4b68db56836fba1cecc962d8d3 Mon Sep 17 00:00:00 2001 From: h7x4 Date: Sun, 20 Oct 2024 01:29:48 +0200 Subject: [PATCH] systemd hardening --- module.nix | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/module.nix b/module.nix index 009f265..d2519b4 100644 --- a/module.nix +++ b/module.nix @@ -105,6 +105,45 @@ in ExecStart = "${lib.getExe cfg.package} ${lib.cli.toGNUCommandLineShell { } cfg.settings}"; Restart = "always"; RestartSec = 3; + + IPAddressDeny = + lib.optionals (lib.elem cfg.settings.host [ null "localhost" "127.0.0.1" ]) [ "any" ]; + + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + + AmbientCapabilities = [ "" ]; + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "" ]; + LockPersonality = true; + # Might work, but wouldn't bet on it with embedded scripting lang in mpv + MemoryDenyWriteExecute = false; + NoNewPrivileges = true; + # MPV and mesa tries to talk directly to the GPU. + PrivateDevices = false; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = "tmpfs"; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RemoveIPC = true; + UMask = "0077"; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "~@resources" + ]; }; }; })