summary refs log tree commit diff
diff options
context:
space:
mode:
authorPhilipp Bartsch <phil@grmr.de>2020-07-16 04:15:44 +0200
committerPhilipp Bartsch <phil@grmr.de>2020-07-16 21:15:22 +0200
commit7e9f3e9eb16ca1814199872f2d44ece88297e9cb (patch)
tree2d9dd9391bf745f6ac4c3b056fff82364dbd725c
parent5e1d1418095bc1faf910914eee81effad070b0bc (diff)
downloadnixpkgs-7e9f3e9eb16ca1814199872f2d44ece88297e9cb.tar
nixpkgs-7e9f3e9eb16ca1814199872f2d44ece88297e9cb.tar.gz
nixpkgs-7e9f3e9eb16ca1814199872f2d44ece88297e9cb.tar.bz2
nixpkgs-7e9f3e9eb16ca1814199872f2d44ece88297e9cb.tar.lz
nixpkgs-7e9f3e9eb16ca1814199872f2d44ece88297e9cb.tar.xz
nixpkgs-7e9f3e9eb16ca1814199872f2d44ece88297e9cb.tar.zst
nixpkgs-7e9f3e9eb16ca1814199872f2d44ece88297e9cb.zip
nixos/rspamd: add systemd service sandbox
Drop preStart script in favour of systemd StateDirectory parameter.
Diffstat
-rw-r--r--nixos/modules/services/mail/rspamd.nix39
1 files changed, 33 insertions, 6 deletions
diff --git a/nixos/modules/services/mail/rspamd.nix b/nixos/modules/services/mail/rspamd.nix
index aacdbe2aeed..2707bd16cdb 100644
--- a/nixos/modules/services/mail/rspamd.nix
+++ b/nixos/modules/services/mail/rspamd.nix
@@ -394,16 +394,43 @@ in
       restartTriggers = [ rspamdDir ];
 
       serviceConfig = {
-        ExecStart = "${pkgs.rspamd}/bin/rspamd ${optionalString cfg.debug "-d"} --user=${cfg.user} --group=${cfg.group} --pid=/run/rspamd.pid -c /etc/rspamd/rspamd.conf -f";
+        ExecStart = "${pkgs.rspamd}/bin/rspamd ${optionalString cfg.debug "-d"} -c /etc/rspamd/rspamd.conf -f";
         Restart = "always";
+
+        User = "${cfg.user}";
+        Group = "${cfg.group}";
+
         RuntimeDirectory = "rspamd";
+        RuntimeDirectoryMode = "0755";
+        StateDirectory = "rspamd";
+        StateDirectoryMode = "0700";
+
+        AmbientCapabilities = "";
+        CapabilityBoundingSet = "";
+        DevicePolicy = "closed";
+        LockPersonality = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateMounts = true;
         PrivateTmp = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX";
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = "@system-service";
+        UMask = "0077";
       };
-
-      preStart = ''
-        ${pkgs.coreutils}/bin/mkdir -p /var/lib/rspamd
-        ${pkgs.coreutils}/bin/chown ${cfg.user}:${cfg.group} /var/lib/rspamd
-      '';
     };
   };
   imports = [
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-25 21:09:23 +0000