diff options
| author | talyz <kim.lindberger@gmail.com> | 2021-06-07 13:14:44 +0200 |
|---|---|---|
| committer | talyz <kim.lindberger@gmail.com> | 2021-06-07 14:19:57 +0200 |
| commit | 7cc39b13b00dd8ce5eebc5a1cb53e3de22dc9b99 (patch) | |
| tree | b6f92202d7fc37a3c1133b91af4c41de8149a5a1 /nixos/modules/services/misc/geoipupdate.nix | |
| parent | 41c82cd57033ce8122899b8cf96dc824c7ce7e8d (diff) | |
| download | nixpkgs-7cc39b13b00dd8ce5eebc5a1cb53e3de22dc9b99.tar nixpkgs-7cc39b13b00dd8ce5eebc5a1cb53e3de22dc9b99.tar.gz nixpkgs-7cc39b13b00dd8ce5eebc5a1cb53e3de22dc9b99.tar.bz2 nixpkgs-7cc39b13b00dd8ce5eebc5a1cb53e3de22dc9b99.tar.lz nixpkgs-7cc39b13b00dd8ce5eebc5a1cb53e3de22dc9b99.tar.xz nixpkgs-7cc39b13b00dd8ce5eebc5a1cb53e3de22dc9b99.tar.zst nixpkgs-7cc39b13b00dd8ce5eebc5a1cb53e3de22dc9b99.zip | |
nixos/geoipupdate: Add stricter service security
Diffstat (limited to 'nixos/modules/services/misc/geoipupdate.nix')
| -rw-r--r-- | nixos/modules/services/misc/geoipupdate.nix | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/nixos/modules/services/misc/geoipupdate.nix b/nixos/modules/services/misc/geoipupdate.nix index 15d6051fce5..3211d4d88e4 100644 --- a/nixos/modules/services/misc/geoipupdate.nix +++ b/nixos/modules/services/misc/geoipupdate.nix @@ -150,6 +150,26 @@ in ReadWritePaths = cfg.settings.DatabaseDirectory; RuntimeDirectory = "geoipupdate"; RuntimeDirectoryMode = 0700; + CapabilityBoundingSet = ""; + PrivateDevices = true; + PrivateMounts = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictRealtime = true; + RestrictNamespaces = true; + MemoryDenyWriteExecute = true; + LockPersonality = true; + SystemCallArchitectures = "native"; }; }; |