From 99fac5e5aac02edc5954b89da49508108b4a363b Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Wed, 5 Nov 2025 09:21:40 +0900
Subject: [PATCH] common/rtkit: harden

---
 hosts/common/default.nix        |  1 +
 hosts/common/services/rtkit.nix | 51 +++++++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+)
 create mode 100644 hosts/common/services/rtkit.nix

diff --git a/hosts/common/default.nix b/hosts/common/default.nix
index 7840f32..81b4cbb 100644
--- a/hosts/common/default.nix
+++ b/hosts/common/default.nix
@@ -34,6 +34,7 @@ in {
     ./services/polkit.nix
     ./services/printing.nix
     ./services/resolved.nix
+    ./services/rtkit.nix
     ./services/smartd.nix
     ./services/systemd-lock-handler.nix
     ./services/udisks2.nix
diff --git a/hosts/common/services/rtkit.nix b/hosts/common/services/rtkit.nix
new file mode 100644
index 0000000..04dabee
--- /dev/null
+++ b/hosts/common/services/rtkit.nix
@@ -0,0 +1,51 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.security.rtkit;
+  package = pkgs.rtkit;
+in
+{
+  systemd.services.rtkit-daemon.serviceConfig = lib.mkIf cfg.enable {
+    # Needs to verify the user of the processes.
+    PrivateUsers = false;
+    # Needs to access other processes to modify their scheduling modes.
+    ProcSubset = "all";
+    ProtectProc = "default";
+    # Canary needs to be realtime.
+    RestrictRealtime = false;
+
+    RuntimeDirectory = [ "rtkit/root-mnt" ];
+    RootDirectory = "/run/rtkit/root-mnt";
+    BindPaths = [ "/run/dbus/system_bus_socket" ];
+    BindReadOnlyPaths = [
+      builtins.storeDir
+      "/etc"
+    ];
+    NoExecPaths = "/";
+    ExecPaths = "${package}/libexec/rtkit-daemon";
+
+    LockPersonality = true;
+    MemoryDenyWriteExecute = true;
+    NoNewPrivileges = true;
+    PrivateDevices = true;
+    PrivateTmp = "disconnected";
+    ProtectClock = true;
+    ProtectControlGroups = "strict";
+    ProtectHome = true;
+    ProtectHostname = true;
+    ProtectKernelLogs = true;
+    ProtectKernelModules = true;
+    ProtectKernelTunables = true;
+    ProtectSystem = "strict";
+    RemoveIPC = true;
+    RestrictAddressFamilies = [ "AF_UNIX" ];
+    IPAddressDeny = "any";
+    RestrictNamespaces = true;
+    RestrictSUIDSGID = true;
+    SystemCallArchitectures = "native";
+    SystemCallFilter = [
+      "@system-service"
+      "@mount" # Needs chroot(1)
+    ];
+    UMask = "0777";
+  };
+}