diff options
author | Izorkin <izorkin@elven.pw> | 2020-07-31 15:53:48 +0300 |
---|---|---|
committer | Izorkin <izorkin@elven.pw> | 2020-08-05 11:19:32 +0300 |
commit | dfd32f11f3ff1da571e499ed993dff99037e73bd (patch) | |
tree | c1354f8912b97f666896f2217b5b61ccc1dca7ed /nixos/modules/services/misc/gitea.nix | |
parent | 6a0fd33b4c15d7e0e0b0cdad5ef280eba32ccdcc (diff) | |
download | nixpkgs-dfd32f11f3ff1da571e499ed993dff99037e73bd.tar nixpkgs-dfd32f11f3ff1da571e499ed993dff99037e73bd.tar.gz nixpkgs-dfd32f11f3ff1da571e499ed993dff99037e73bd.tar.bz2 nixpkgs-dfd32f11f3ff1da571e499ed993dff99037e73bd.tar.lz nixpkgs-dfd32f11f3ff1da571e499ed993dff99037e73bd.tar.xz nixpkgs-dfd32f11f3ff1da571e499ed993dff99037e73bd.tar.zst nixpkgs-dfd32f11f3ff1da571e499ed993dff99037e73bd.zip |
nixos/gitea: update sandboxing options
Diffstat (limited to 'nixos/modules/services/misc/gitea.nix')
-rw-r--r-- | nixos/modules/services/misc/gitea.nix | 31 |
1 files changed, 19 insertions, 12 deletions
diff --git a/nixos/modules/services/misc/gitea.nix b/nixos/modules/services/misc/gitea.nix index 734bf79ddf6..6c6541b9369 100644 --- a/nixos/modules/services/misc/gitea.nix +++ b/nixos/modules/services/misc/gitea.nix @@ -467,27 +467,34 @@ in # Runtime directory and mode RuntimeDirectory = "gitea"; RuntimeDirectoryMode = "0755"; - - # Filesystem + # Access write directories + ReadWritePaths = [ cfg.dump.backupDir cfg.repositoryRoot cfg.stateDir ]; + UMask = "0027"; + # Capabilities + CapabilityBoundingSet = ""; + # Security + NoNewPrivileges = true; + # Sandboxing + ProtectSystem = "strict"; ProtectHome = true; + PrivateTmp = true; PrivateDevices = true; + PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; ProtectKernelTunables = true; ProtectKernelModules = true; + ProtectKernelLogs = true; ProtectControlGroups = true; - ReadWritePaths = [ cfg.dump.backupDir cfg.repositoryRoot cfg.stateDir ]; - UMask = "0027"; - # Caps - CapabilityBoundingSet = ""; - NoNewPrivileges = true; - # Misc. + RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ]; LockPersonality = true; + MemoryDenyWriteExecute = true; RestrictRealtime = true; + RestrictSUIDSGID = true; PrivateMounts = true; - PrivateUsers = true; - MemoryDenyWriteExecute = true; - SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @setuid @swap"; + # System Call Filtering SystemCallArchitectures = "native"; - RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; + SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @setuid @swap"; }; environment = { |