From f2931da4ab9f2fb196b6d3f3c46969fe3799a624 Mon Sep 17 00:00:00 2001 From: h7x4 Date: Tue, 28 Oct 2025 13:46:26 +0900 Subject: [PATCH] common/dbus: harden dbus-broker units --- hosts/common/services/dbus.nix | 60 ++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/hosts/common/services/dbus.nix b/hosts/common/services/dbus.nix index 99e41c5..7a59103 100644 --- a/hosts/common/services/dbus.nix +++ b/hosts/common/services/dbus.nix @@ -7,4 +7,64 @@ gcr ]; }; + + systemd.services.dbus-broker.serviceConfig = { + LockPersonality = "yes"; + MemoryDenyWriteExecute = "yes"; + NoNewPrivileges = "yes"; + PrivateDevices = "yes"; + ProtectClock = "yes"; + ProtectControlGroups = "yes"; + ProtectHome = "yes"; + ProtectHostname = "yes"; + ProtectKernelLogs = "yes"; + ProtectKernelModules = "yes"; + ProtectKernelTunables = "yes"; + RestrictNamespaces = "yes"; + RestrictRealtime = "yes"; + RestrictSUIDSGID = "yes"; + SystemCallArchitectures = "native"; + UMask = "077"; + RestrictAddressFamilies = [ + "AF_UNIX" + "AF_NETLINK" + ]; + SystemCallFilter = [ + "@system-service" + "~@mount" + "~@resources" + ]; + AmbientCapabilities = "CAP_AUDIT_WRITE"; + CapabilityBoundingSet = "CAP_AUDIT_WRITE"; + }; + + systemd.user.services.dbus-broker.serviceConfig = { + LockPersonality = "yes"; + MemoryDenyWriteExecute = "yes"; + NoNewPrivileges = "yes"; + PrivateDevices = "yes"; + ProtectClock = "yes"; + ProtectControlGroups = "yes"; + ProtectHome = "yes"; + ProtectHostname = "yes"; + ProtectKernelLogs = "yes"; + ProtectKernelModules = "yes"; + ProtectKernelTunables = "yes"; + RestrictNamespaces = "yes"; + RestrictRealtime = "yes"; + RestrictSUIDSGID = "yes"; + SystemCallArchitectures = "native"; + UMask = "077"; + RestrictAddressFamilies = [ + "AF_UNIX" + "AF_NETLINK" + ]; + SystemCallFilter = [ + "@system-service" + "~@resources" + "~@privileged" + ]; + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; + }; }