common/dbus: temporarily undo hardening, system broke :(

2025-11-05 08:41:07 +09:00
parent 27ac053b47
commit 52607f7ee6
1 changed files with 54 additions and 54 deletions
--- a/hosts/common/services/dbus.nix
+++ b/hosts/common/services/dbus.nix
@@ -9,62 +9,62 @@
  };

  systemd.services.dbus-broker.serviceConfig = {
-    LockPersonality = "yes";
-    MemoryDenyWriteExecute = "yes";
-    NoNewPrivileges = "yes";
-    PrivateDevices = "yes";
-    ProtectClock = "yes";
-    ProtectControlGroups = "yes";
-    ProtectHome = "yes";
-    ProtectHostname = "yes";
-    ProtectKernelLogs = "yes";
-    ProtectKernelModules = "yes";
-    ProtectKernelTunables = "yes";
-    RestrictNamespaces = "yes";
-    RestrictRealtime = "yes";
-    RestrictSUIDSGID = "yes";
-    SystemCallArchitectures = "native";
-    UMask = "077";
-    RestrictAddressFamilies = [
-      "AF_UNIX"
-      "AF_NETLINK"
-    ];
-    SystemCallFilter = [
-      "@system-service"
-      "~@mount"
-      "~@resources"
-    ];
-    AmbientCapabilities = "CAP_AUDIT_WRITE";
-    CapabilityBoundingSet = "CAP_AUDIT_WRITE";
+    # LockPersonality = "yes";
+    # MemoryDenyWriteExecute = "yes";
+    # NoNewPrivileges = "yes";
+    # PrivateDevices = "yes";
+    # ProtectClock = "yes";
+    # ProtectControlGroups = "yes";
+    # ProtectHome = "yes";
+    # ProtectHostname = "yes";
+    # ProtectKernelLogs = "yes";
+    # ProtectKernelModules = "yes";
+    # ProtectKernelTunables = "yes";
+    # RestrictNamespaces = "yes";
+    # RestrictRealtime = "yes";
+    # RestrictSUIDSGID = "yes";
+    # SystemCallArchitectures = "native";
+    # UMask = "077";
+    # RestrictAddressFamilies = [
+    #   "AF_UNIX"
+    #   "AF_NETLINK"
+    # ];
+    # SystemCallFilter = [
+    #   "@system-service"
+    #   "~@mount"
+    #   "~@resources"
+    # ];
+    # AmbientCapabilities = "CAP_AUDIT_WRITE";
+    # CapabilityBoundingSet = "CAP_AUDIT_WRITE";
  };

  systemd.user.services.dbus-broker.serviceConfig = {
-    LockPersonality = "yes";
-    MemoryDenyWriteExecute = "yes";
-    NoNewPrivileges = "yes";
-    PrivateDevices = "yes";
-    ProtectClock = "yes";
-    ProtectControlGroups = "yes";
-    ProtectHome = "yes";
-    ProtectHostname = "yes";
-    ProtectKernelLogs = "yes";
-    ProtectKernelModules = "yes";
-    ProtectKernelTunables = "yes";
-    RestrictNamespaces = "yes";
-    RestrictRealtime = "yes";
-    RestrictSUIDSGID = "yes";
-    SystemCallArchitectures = "native";
-    UMask = "077";
-    RestrictAddressFamilies = [
-      "AF_UNIX"
-      "AF_NETLINK"
-    ];
-    SystemCallFilter = [
-      "@system-service"
-      "~@resources"
-      "~@privileged"
-    ];
-    AmbientCapabilities = "";
-    CapabilityBoundingSet = "";
+    # LockPersonality = "yes";
+    # MemoryDenyWriteExecute = "yes";
+    # NoNewPrivileges = "yes";
+    # PrivateDevices = "yes";
+    # ProtectClock = "yes";
+    # ProtectControlGroups = "yes";
+    # ProtectHome = "yes";
+    # ProtectHostname = "yes";
+    # ProtectKernelLogs = "yes";
+    # ProtectKernelModules = "yes";
+    # ProtectKernelTunables = "yes";
+    # RestrictNamespaces = "yes";
+    # RestrictRealtime = "yes";
+    # RestrictSUIDSGID = "yes";
+    # SystemCallArchitectures = "native";
+    # UMask = "077";
+    # RestrictAddressFamilies = [
+    #   "AF_UNIX"
+    #   "AF_NETLINK"
+    # ];
+    # SystemCallFilter = [
+    #   "@system-service"
+    #   "~@resources"
+    #   "~@privileged"
+    # ];
+    # AmbientCapabilities = "";
+    # CapabilityBoundingSet = "";
  };
 }