Merge pull request #85133 from snicket2100/mosquitto-service-sandboxing

mosquitto: systemd service sandboxing
2020-11-27 18:53:36 +01:00
parent eb7d367200 2b0ee787dd
commit a390213f85
1 changed files with 10 additions and 0 deletions
--- a/nixos/modules/services/networking/mosquitto.nix
+++ b/nixos/modules/services/networking/mosquitto.nix
@@ -232,6 +232,16 @@ in
        Restart = "on-failure";
        ExecStart = "${pkgs.mosquitto}/bin/mosquitto -c ${mosquittoConf}";
        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        ReadWritePaths = "${cfg.dataDir}";
+        ProtectControlGroups = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        NoNewPrivileges = true;
      };
      preStart = ''
        rm -f ${cfg.dataDir}/passwd