summary refs log tree commit diff
path: root/nixos/modules/services/misc/gitea.nix
diff options
context:
space:
mode:
authorIzorkin <izorkin@elven.pw>2020-07-31 15:53:48 +0300
committerIzorkin <izorkin@elven.pw>2020-08-05 11:19:32 +0300
commitdfd32f11f3ff1da571e499ed993dff99037e73bd (patch)
treec1354f8912b97f666896f2217b5b61ccc1dca7ed /nixos/modules/services/misc/gitea.nix
parent6a0fd33b4c15d7e0e0b0cdad5ef280eba32ccdcc (diff)
downloadnixpkgs-dfd32f11f3ff1da571e499ed993dff99037e73bd.tar
nixpkgs-dfd32f11f3ff1da571e499ed993dff99037e73bd.tar.gz
nixpkgs-dfd32f11f3ff1da571e499ed993dff99037e73bd.tar.bz2
nixpkgs-dfd32f11f3ff1da571e499ed993dff99037e73bd.tar.lz
nixpkgs-dfd32f11f3ff1da571e499ed993dff99037e73bd.tar.xz
nixpkgs-dfd32f11f3ff1da571e499ed993dff99037e73bd.tar.zst
nixpkgs-dfd32f11f3ff1da571e499ed993dff99037e73bd.zip
nixos/gitea: update sandboxing options
Diffstat (limited to 'nixos/modules/services/misc/gitea.nix')
-rw-r--r--nixos/modules/services/misc/gitea.nix31


1 files changed, 19 insertions, 12 deletions
diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix
index 734bf79ddf6..6c6541b9369 100644
--- a/nixos/modules/services/misc/gitea.nix
+++ b/nixos/modules/services/misc/gitea.nix
@@ -467,27 +467,34 @@ in
         # Runtime directory and mode
         RuntimeDirectory = "gitea";
         RuntimeDirectoryMode = "0755";
-
-        # Filesystem
+        # Access write directories
+        ReadWritePaths = [ cfg.dump.backupDir cfg.repositoryRoot cfg.stateDir ];
+        UMask = "0027";
+        # Capabilities
+        CapabilityBoundingSet = "";
+        # Security
+        NoNewPrivileges = true;
+        # Sandboxing
+        ProtectSystem = "strict";
         ProtectHome = true;
+        PrivateTmp = true;
         PrivateDevices = true;
+        PrivateUsers = true;
+        ProtectHostname = true;
+        ProtectClock = true;
         ProtectKernelTunables = true;
         ProtectKernelModules = true;
+        ProtectKernelLogs = true;
         ProtectControlGroups = true;
-        ReadWritePaths = [ cfg.dump.backupDir cfg.repositoryRoot cfg.stateDir ];
-        UMask = "0027";
-        # Caps
-        CapabilityBoundingSet = "";
-        NoNewPrivileges = true;
-        # Misc.
+        RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
         LockPersonality = true;
+        MemoryDenyWriteExecute = true;
         RestrictRealtime = true;
+        RestrictSUIDSGID = true;
         PrivateMounts = true;
-        PrivateUsers = true;
-        MemoryDenyWriteExecute = true;
-        SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @setuid @swap";
+        # System Call Filtering
         SystemCallArchitectures = "native";
-        RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
+        SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @setuid @swap";
       };
 
       environment = {

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-20 22:27:01 +0000