Okay, now lock some stuff

2023-01-22 16:17:03 -08:00 · 2023-01-22 16:17:03 -08:00 · cb5aaf3efc
parent f92c5ce3a3
commit cb5aaf3efc
1 changed files with 15 additions and 15 deletions
--- a/objectifier-module.nix
+++ b/objectifier-module.nix
@ -65,21 +65,21 @@ in {
        OBJECTIFIER_CLEANUP_DELAY = toString cfg.cleanup.delay;
      };
      serviceConfig = {
-        # PrivateUsers = true;
-        # PrivateDevices = true;
-        # PrivateTmp = true;
-        # PrivateMounts = true;
-        # ProtectControlGroups = true;
-        # ProtectKernelTunables = true;
-        # ProtectKernelModules = true;
-        # ProtectSystem = true;
-        # ProtectHostname = true;
-        # ProtectHome = true;
-        # ProtectClock = true;
-        # ProtectKernelLogs = true;
-        # DynamicUser = true;
-        # MemoryDenyWriteExecute = true;
-        # RestrictRealtime = true;
+        PrivateUsers = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        PrivateMounts = true;
+        ProtectControlGroups = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectSystem = true;
+        ProtectHostname = true;
+        ProtectHome = true;
+        ProtectClock = true;
+        ProtectKernelLogs = true;
+        DynamicUser = true;
+        MemoryDenyWriteExecute = true;
+        RestrictRealtime = true;
        # LockPersonality = true;
        # PermissionsStartOnly = true;
        WorkingDirectory = "${pkgs.objectifier}";