From d31202fba2afe24a9a4c7feb52c462bb6d786191 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Mon, 9 Mar 2015 11:26:18 +0100
Subject: [PATCH] sshd: Enable seccomp sandboxing

---
 nixos/modules/services/networking/ssh/sshd.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix
index a7617d02c18..b11f996c63c 100644
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@@ -381,6 +381,8 @@ in
 
         UsePAM yes
 
+        UsePrivilegeSeparation sandbox
+
         AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}
         ${concatMapStrings (port: ''
           Port ${toString port}