diff options
| author | Julien Moutinho <julm+nixpkgs@sourcephile.fr> | 2021-05-10 15:29:52 +0200 |
|---|---|---|
| committer | Julien Moutinho <julm+nixpkgs@sourcephile.fr> | 2021-05-10 16:50:41 +0200 |
| commit | cd1f6bc712e7f337a44ab5ee7fdb67745f850b9b (patch) | |
| tree | 9c22cb1d2aedb9908c93a8a446d2837ab3b55cf1 /nixos/modules/services/security/tor.nix | |
| parent | acd5e6707e93c6b0928c96bc43057e91fa0bcee0 (diff) | |
| download | nixpkgs-cd1f6bc712e7f337a44ab5ee7fdb67745f850b9b.tar nixpkgs-cd1f6bc712e7f337a44ab5ee7fdb67745f850b9b.tar.gz nixpkgs-cd1f6bc712e7f337a44ab5ee7fdb67745f850b9b.tar.bz2 nixpkgs-cd1f6bc712e7f337a44ab5ee7fdb67745f850b9b.tar.lz nixpkgs-cd1f6bc712e7f337a44ab5ee7fdb67745f850b9b.tar.xz nixpkgs-cd1f6bc712e7f337a44ab5ee7fdb67745f850b9b.tar.zst nixpkgs-cd1f6bc712e7f337a44ab5ee7fdb67745f850b9b.zip | |
nixos/tor: harden ProcSubset and ProtectProc
Diffstat (limited to 'nixos/modules/services/security/tor.nix')
| -rw-r--r-- | nixos/modules/services/security/tor.nix | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix index 54c2c2dea23..b58412e2424 100644 --- a/nixos/modules/services/security/tor.nix +++ b/nixos/modules/services/security/tor.nix @@ -1007,6 +1007,7 @@ in # Tor cannot currently bind privileged port when PrivateUsers=true, # see https://gitlab.torproject.org/legacy/trac/-/issues/20930 PrivateUsers = !bindsPrivilegedPort; + ProcSubset = "pid"; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; @@ -1014,6 +1015,7 @@ in ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; + ProtectProc = "invisible"; ProtectSystem = "strict"; RemoveIPC = true; RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; |