From a476f877d2a3d852cc2b2230ee2ed11b9e7eae1c Mon Sep 17 00:00:00 2001 From: h7x4 Date: Sun, 20 Oct 2024 01:29:48 +0200 Subject: [PATCH] systemd hardening --- module.nix | 40 +++++++++++++++++++++++++++++++++++++--- 1 file changed, 37 insertions(+), 3 deletions(-) diff --git a/module.nix b/module.nix index 009f265..61d3542 100644 --- a/module.nix +++ b/module.nix @@ -97,14 +97,48 @@ in description = "greg-ng, an mpv based media player"; wantedBy = [ "graphical-session.target" ]; partOf = [ "graphical-session.target" ]; - environment = { - RUST_LOG = lib.mkIf cfg.enableDebug "greg_ng=trace,mpvipc=trace"; - }; + environment.RUST_LOG = lib.mkIf cfg.enableDebug "greg_ng=trace,mpvipc=trace"; serviceConfig = { Type = "simple"; ExecStart = "${lib.getExe cfg.package} ${lib.cli.toGNUCommandLineShell { } cfg.settings}"; Restart = "always"; RestartSec = 3; + + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + AmbientCapabilities = [ "" ]; + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "" ]; + LockPersonality = true; + # Might work, but wouldn't bet on it with embedded lua in mpv + MemoryDenyWriteExecute = false; + NoNewPrivileges = true; + # MPV and mesa tries to talk directly to the GPU. + PrivateDevices = false; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + # MPV wants ~/.cache + ProtectHome = false; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "full"; + RemoveIPC = true; + UMask = "0077"; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "~@resources" + ]; }; }; })