common/dbus: harden dbus-broker units

2025-10-28 13:46:26 +09:00
parent a3542e6a6c
commit f2931da4ab
1 changed files with 60 additions and 0 deletions
--- a/hosts/common/services/dbus.nix
+++ b/hosts/common/services/dbus.nix
@@ -7,4 +7,64 @@
      gcr
    ];
  };
+
+  systemd.services.dbus-broker.serviceConfig = {
+    LockPersonality = "yes";
+    MemoryDenyWriteExecute = "yes";
+    NoNewPrivileges = "yes";
+    PrivateDevices = "yes";
+    ProtectClock = "yes";
+    ProtectControlGroups = "yes";
+    ProtectHome = "yes";
+    ProtectHostname = "yes";
+    ProtectKernelLogs = "yes";
+    ProtectKernelModules = "yes";
+    ProtectKernelTunables = "yes";
+    RestrictNamespaces = "yes";
+    RestrictRealtime = "yes";
+    RestrictSUIDSGID = "yes";
+    SystemCallArchitectures = "native";
+    UMask = "077";
+    RestrictAddressFamilies = [
+      "AF_UNIX"
+      "AF_NETLINK"
+    ];
+    SystemCallFilter = [
+      "@system-service"
+      "~@mount"
+      "~@resources"
+    ];
+    AmbientCapabilities = "CAP_AUDIT_WRITE";
+    CapabilityBoundingSet = "CAP_AUDIT_WRITE";
+  };
+
+  systemd.user.services.dbus-broker.serviceConfig = {
+    LockPersonality = "yes";
+    MemoryDenyWriteExecute = "yes";
+    NoNewPrivileges = "yes";
+    PrivateDevices = "yes";
+    ProtectClock = "yes";
+    ProtectControlGroups = "yes";
+    ProtectHome = "yes";
+    ProtectHostname = "yes";
+    ProtectKernelLogs = "yes";
+    ProtectKernelModules = "yes";
+    ProtectKernelTunables = "yes";
+    RestrictNamespaces = "yes";
+    RestrictRealtime = "yes";
+    RestrictSUIDSGID = "yes";
+    SystemCallArchitectures = "native";
+    UMask = "077";
+    RestrictAddressFamilies = [
+      "AF_UNIX"
+      "AF_NETLINK"
+    ];
+    SystemCallFilter = [
+      "@system-service"
+      "~@resources"
+      "~@privileged"
+    ];
+    AmbientCapabilities = "";
+    CapabilityBoundingSet = "";
+  };
 }