From fd5bbdb4363cbd2935b0d5a37c4e7355f45e61a4 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Thu, 28 Jul 2016 17:39:14 +0200
Subject: [PATCH] nixos-containers: Set DevicePolicy=closed

This makes the container a bit more secure, by preventing root
creating device nodes to access the host file system, for
instance. (Reference: systemd-nspawn@.service in systemd.)
---
 nixos/modules/virtualisation/containers.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix
index 036e54e3847..8cfe90e67d1 100644
--- a/nixos/modules/virtualisation/containers.nix
+++ b/nixos/modules/virtualisation/containers.nix
@@ -415,6 +415,8 @@ in
         # after the timeout). So send an ignored signal.
         KillMode = "mixed";
         KillSignal = "WINCH";
+
+        DevicePolicy = "closed";
       };
     };
   in {