nixos/mastodon: enable sandbox mode

author: Izorkin <izorkin@elven.pw> 2021-02-14 22:07:40 +0300
committer: erictapen <justin.humm@posteo.de> 2021-03-24 17:28:50 +0100
commit: f3a032dee5d2da64b0e925bf81293dd42d58e7fc (patch)
tree: c3d952872f57209f39f539a2ca328c422af27324 /nixos/modules/services/web-apps/mastodon.nix
parent: 5db15c129b566bc78afae76dceeaf3d6e53866fc (diff)
download: nixpkgs-f3a032dee5d2da64b0e925bf81293dd42d58e7fc.tar
nixpkgs-f3a032dee5d2da64b0e925bf81293dd42d58e7fc.tar.gz
nixpkgs-f3a032dee5d2da64b0e925bf81293dd42d58e7fc.tar.bz2
nixpkgs-f3a032dee5d2da64b0e925bf81293dd42d58e7fc.tar.lz
nixpkgs-f3a032dee5d2da64b0e925bf81293dd42d58e7fc.tar.xz
nixpkgs-f3a032dee5d2da64b0e925bf81293dd42d58e7fc.tar.zst
nixpkgs-f3a032dee5d2da64b0e925bf81293dd42d58e7fc.zip
1 files changed, 24 insertions, 0 deletions
diff --git a/nixos/modules/services/web-apps/mastodon.nix b/nixos/modules/services/web-apps/mastodon.nix
index ea7aebc3b12..16e8ae2ec0b 100644
--- a/nixos/modules/services/web-apps/mastodon.nix
+++ b/nixos/modules/services/web-apps/mastodon.nix
@@ -43,8 +43,32 @@ let
     LogsDirectoryMode = "0750";
     # Access write directories
     UMask = "0027";
+    # Capabilities
+    CapabilityBoundingSet = "";
+    # Security
+    NoNewPrivileges = true;
     # Sandboxing
+    ProtectSystem = "strict";
+    ProtectHome = true;
     PrivateTmp = true;
+    PrivateDevices = true;
+    PrivateUsers = true;
+    ProtectClock = true;
+    ProtectHostname = true;
+    ProtectKernelLogs = true;
+    ProtectKernelModules = true;
+    ProtectKernelTunables = true;
+    ProtectControlGroups = true;
+    RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ];
+    RestrictNamespaces = true;
+    LockPersonality = true;
+    MemoryDenyWriteExecute = false;
+    RestrictRealtime = true;
+    RestrictSUIDSGID = true;
+    PrivateMounts = true;
+    # System Call Filtering
+    SystemCallArchitectures = "native";
+    SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @reboot @resources @setuid @swap";
   };
 
   envFile = pkgs.writeText "mastodon.env" (lib.concatMapStrings (s: s + "\n") (
author	Izorkin <izorkin@elven.pw>	2021-02-14 22:07:40 +0300
committer	erictapen <justin.humm@posteo.de>	2021-03-24 17:28:50 +0100
commit	f3a032dee5d2da64b0e925bf81293dd42d58e7fc (patch)
tree	c3d952872f57209f39f539a2ca328c422af27324 /nixos/modules/services/web-apps/mastodon.nix
parent	5db15c129b566bc78afae76dceeaf3d6e53866fc (diff)
download	nixpkgs-f3a032dee5d2da64b0e925bf81293dd42d58e7fc.tar nixpkgs-f3a032dee5d2da64b0e925bf81293dd42d58e7fc.tar.gz nixpkgs-f3a032dee5d2da64b0e925bf81293dd42d58e7fc.tar.bz2 nixpkgs-f3a032dee5d2da64b0e925bf81293dd42d58e7fc.tar.lz nixpkgs-f3a032dee5d2da64b0e925bf81293dd42d58e7fc.tar.xz nixpkgs-f3a032dee5d2da64b0e925bf81293dd42d58e7fc.tar.zst nixpkgs-f3a032dee5d2da64b0e925bf81293dd42d58e7fc.zip