public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #78134 from NinjaTrappeur/nin-harden-syncthing

Browse Source 
nixos/syncthing.nix: Sandbox the systemd service.
This commit is contained in:
Florian Klink 2020-01-21 22:30:04 +01:00 committed by GitHub
commit dea2d64c35
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 18 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
nixos/modules/services/networking/syncthing.nix
View File

@ -484,6 +484,24 @@ in {
-gui-address=${cfg.guiAddress} \ -gui-address=${cfg.guiAddress} \
-home=${cfg.configDir} -home=${cfg.configDir}
''; '';
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
CapabilityBoundingSet = [
"~CAP_SYS_PTRACE" "~CAP_SYS_ADMIN"
"~CAP_SETGID" "~CAP_SETUID" "~CAP_SETPCAP"
"~CAP_SYS_TIME" "~CAP_KILL"
];
}; };
}; };
syncthing-init = mkIf ( syncthing-init = mkIf (