From dfd32f11f3ff1da571e499ed993dff99037e73bd Mon Sep 17 00:00:00 2001 From: Izorkin Date: Fri, 31 Jul 2020 15:53:48 +0300 Subject: [PATCH] nixos/gitea: update sandboxing options --- nixos/modules/services/misc/gitea.nix | 35 ++++++++++++++++----------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index 734bf79ddf6..6c6541b9369 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -467,27 +467,34 @@ in # Runtime directory and mode RuntimeDirectory = "gitea"; RuntimeDirectoryMode = "0755"; - - # Filesystem - ProtectHome = true; - PrivateDevices = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectControlGroups = true; + # Access write directories ReadWritePaths = [ cfg.dump.backupDir cfg.repositoryRoot cfg.stateDir ]; UMask = "0027"; - # Caps + # Capabilities CapabilityBoundingSet = ""; + # Security NoNewPrivileges = true; - # Misc. - LockPersonality = true; - RestrictRealtime = true; - PrivateMounts = true; + # Sandboxing + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ]; + LockPersonality = true; MemoryDenyWriteExecute = true; - SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @setuid @swap"; + RestrictRealtime = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + # System Call Filtering SystemCallArchitectures = "native"; - RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; + SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @setuid @swap"; }; environment = {