public
/
objectifier
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Harden the module service.

This commit is contained in:
niten 2023-01-12 11:15:43 -08:00
parent a0af563334
commit 8f25a59324
1 changed files with 17 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
objectifier-module.nix
View File

@ -65,23 +65,23 @@ in {
OBJECTIFIER_CLEANUP_DELAY = toString cfg.cleanup.delay; OBJECTIFIER_CLEANUP_DELAY = toString cfg.cleanup.delay;
}; };
serviceConfig = { serviceConfig = {
# PrivateUsers = true; PrivateUsers = true;
# PrivateDevices = true; PrivateDevices = true;
# PrivateTmp = true; PrivateTmp = true;
# PrivateMounts = true; PrivateMounts = true;
# ProtectControlGroups = true; ProtectControlGroups = true;
# ProtectKernelTunables = true; ProtectKernelTunables = true;
# ProtectKernelModules = true; ProtectKernelModules = true;
# ProtectSystem = true; ProtectSystem = true;
# ProtectHostname = true; ProtectHostname = true;
# ProtectHome = true; ProtectHome = true;
# ProtectClock = true; ProtectClock = true;
# ProtectKernelLogs = true; ProtectKernelLogs = true;
# DynamicUser = true; DynamicUser = true;
# MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
# RestrictRealtime = true; RestrictRealtime = true;
# LockPersonality = true; LockPersonality = true;
# PermissionsStartOnly = true; PermissionsStartOnly = true;
WorkingDirectory = "${pkgs.objectifier}"; WorkingDirectory = "${pkgs.objectifier}";
StateDirectory = "objectifier"; StateDirectory = "objectifier";
CacheDirectory = "objectifier"; CacheDirectory = "objectifier";