diff options
| author | Izorkin <izorkin@elven.pw> | 2020-05-14 14:10:49 +0300 |
|---|---|---|
| committer | Izorkin <izorkin@elven.pw> | 2020-08-09 10:19:30 +0300 |
| commit | 2f6a18af5a76894c172298e7f1457fb932f7f1b7 (patch) | |
| tree | 898a22155845d5435b631907a11c96bb9d32f034 /nixos/modules/services/monitoring | |
| parent | debf9a3f0bda5477b8765b7c78e0e8393d7fb416 (diff) | |
| download | nixpkgs-2f6a18af5a76894c172298e7f1457fb932f7f1b7.tar nixpkgs-2f6a18af5a76894c172298e7f1457fb932f7f1b7.tar.gz nixpkgs-2f6a18af5a76894c172298e7f1457fb932f7f1b7.tar.bz2 nixpkgs-2f6a18af5a76894c172298e7f1457fb932f7f1b7.tar.lz nixpkgs-2f6a18af5a76894c172298e7f1457fb932f7f1b7.tar.xz nixpkgs-2f6a18af5a76894c172298e7f1457fb932f7f1b7.tar.zst nixpkgs-2f6a18af5a76894c172298e7f1457fb932f7f1b7.zip | |
nixos/netadata: enable simple sandboxing
Diffstat (limited to 'nixos/modules/services/monitoring')
| -rw-r--r-- | nixos/modules/services/monitoring/netdata.nix | 45 |
1 files changed, 32 insertions, 13 deletions
diff --git a/nixos/modules/services/monitoring/netdata.nix b/nixos/modules/services/monitoring/netdata.nix index a5233a46e34..2e73e15d3a8 100644 --- a/nixos/modules/services/monitoring/netdata.nix +++ b/nixos/modules/services/monitoring/netdata.nix @@ -133,16 +133,6 @@ in { } ]; - systemd.tmpfiles.rules = [ - "d /var/cache/netdata 0755 ${cfg.user} ${cfg.group} -" - "Z /var/cache/netdata - ${cfg.user} ${cfg.group} -" - "d /var/log/netdata 0755 ${cfg.user} ${cfg.group} -" - "Z /var/log/netdata - ${cfg.user} ${cfg.group} -" - "d /var/lib/netdata 0755 ${cfg.user} ${cfg.group} -" - "Z /var/lib/netdata - ${cfg.user} ${cfg.group} -" - "d /etc/netdata 0755 ${cfg.user} ${cfg.group} -" - "Z /etc/netdata - ${cfg.user} ${cfg.group} -" - ]; systemd.services.netdata = { description = "Real time performance monitoring"; after = [ "network.target" ]; @@ -158,11 +148,40 @@ in { # User and group User = cfg.user; Group = cfg.group; - # Runtime directory and mode - RuntimeDirectory = "netdata"; - RuntimeDirectoryMode = "0755"; # Performance LimitNOFILE = "30000"; + # Runtime directory and mode + RuntimeDirectory = "netdata"; + RuntimeDirectoryMode = "0750"; + # State directory and mode + StateDirectory = "netdata"; + StateDirectoryMode = "0750"; + # Cache directory and mode + CacheDirectory = "netdata"; + CacheDirectoryMode = "0750"; + # Logs directory and mode + LogsDirectory = "netdata"; + LogsDirectoryMode = "0750"; + # Configuration directory and mode + ConfigurationDirectory = "netdata"; + ConfigurationDirectoryMode = "0755"; + # Capabilities + CapabilityBoundingSet = [ + "CAP_DAC_OVERRIDE" # is required for freeipmi and slabinfo plugins + "CAP_DAC_READ_SEARCH" # is required for apps plugin + "CAP_FOWNER" # is required for freeipmi plugin + "CAP_SETPCAP" # is required for apps, perf and slabinfo plugins + "CAP_SYS_ADMIN" # is required for perf plugin + "CAP_SYS_PTRACE" # is required for apps plugin + "CAP_SYS_RESOURCE" # is required for ebpf plugin + "CAP_NET_RAW" # is required for fping app + ]; + # Sandboxing + ProtectSystem = "full"; + ProtectHome = "read-only"; + PrivateTmp = true; + ProtectControlGroups = true; + PrivateMounts = true; }; }; |