diff options
| author | Sophie Taylor <sophie@traumapony.org> | 2016-11-05 01:22:17 +1000 |
|---|---|---|
| committer | Emery Hemingway <emery@vfemail.net> | 2016-11-04 17:00:23 +0100 |
| commit | 20e81f7c0d56e0b179115ca72a85b81ff637d909 (patch) | |
| tree | cac5b17fd0f6c4ecf68ff1f6f3570c8506234bd9 /nixos/modules/services/networking/cjdns.nix | |
| parent | ffa3f868c94f2816b0f006fb407c1370df03a02b (diff) | |
| download | nixpkgs-20e81f7c0d56e0b179115ca72a85b81ff637d909.tar nixpkgs-20e81f7c0d56e0b179115ca72a85b81ff637d909.tar.gz nixpkgs-20e81f7c0d56e0b179115ca72a85b81ff637d909.tar.bz2 nixpkgs-20e81f7c0d56e0b179115ca72a85b81ff637d909.tar.lz nixpkgs-20e81f7c0d56e0b179115ca72a85b81ff637d909.tar.xz nixpkgs-20e81f7c0d56e0b179115ca72a85b81ff637d909.tar.zst nixpkgs-20e81f7c0d56e0b179115ca72a85b81ff637d909.zip | |
nixos/cjdns: tightened permissions via systemd, added caps
Diffstat (limited to 'nixos/modules/services/networking/cjdns.nix')
| -rw-r--r-- | nixos/modules/services/networking/cjdns.nix | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/nixos/modules/services/networking/cjdns.nix b/nixos/modules/services/networking/cjdns.nix index b293cba737a..7e981183353 100644 --- a/nixos/modules/services/networking/cjdns.nix +++ b/nixos/modules/services/networking/cjdns.nix @@ -245,7 +245,10 @@ in serviceConfig = { Type = "forking"; Restart = "on-failure"; - + CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW"; + AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_RAW"; + ProtectSystem = "full"; + MemoryDenyWriteExecute = true; ProtectHome = true; PrivateTmp = true; }; |