Merge pull request #156163 from erdnaxe/galene_hardening

nixos/galene: systemd unit hardening
author: Robert Hensing <roberth@users.noreply.github.com> 2022-04-28 10:52:00 +0200
committer: GitHub <noreply@github.com> 2022-04-28 10:52:00 +0200
commit: 527457cadc8101e269f6952d8088f537e3bd48e1 (patch)
tree: 68c31c1dd41c8bee5a90b50b0cdf801d8a0ed05c /nixos/modules/services
parent: c55ce6c9bb872edfcae372f85f05bb3018ee4fce (diff)
parent: 92349ece0f0e0c68df7388066dc24e66a6e22cdf (diff)
download: nixpkgs-527457cadc8101e269f6952d8088f537e3bd48e1.tar
nixpkgs-527457cadc8101e269f6952d8088f537e3bd48e1.tar.gz
nixpkgs-527457cadc8101e269f6952d8088f537e3bd48e1.tar.bz2
nixpkgs-527457cadc8101e269f6952d8088f537e3bd48e1.tar.lz
nixpkgs-527457cadc8101e269f6952d8088f537e3bd48e1.tar.xz
nixpkgs-527457cadc8101e269f6952d8088f537e3bd48e1.tar.zst
nixpkgs-527457cadc8101e269f6952d8088f537e3bd48e1.zip
1 files changed, 29 insertions, 0 deletions
diff --git a/nixos/modules/services/web-apps/galene.nix b/nixos/modules/services/web-apps/galene.nix
index 1d0a620585b..38c3392014f 100644
--- a/nixos/modules/services/web-apps/galene.nix
+++ b/nixos/modules/services/web-apps/galene.nix
@@ -164,6 +164,35 @@ in
             optional (cfg.dataDir == defaultdataDir) "galene/data" ++
             optional (cfg.groupsDir == defaultgroupsDir) "galene/groups" ++
             optional (cfg.recordingsDir == defaultrecordingsDir) "galene/recordings";
+
+          # Hardening
+          CapabilityBoundingSet = [ "" ];
+          DeviceAllow = [ "" ];
+          LockPersonality = true;
+          MemoryDenyWriteExecute = true;
+          NoNewPrivileges = true;
+          PrivateDevices = true;
+          PrivateTmp = true;
+          PrivateUsers = true;
+          ProcSubset = "pid";
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectProc = "invisible";
+          ProtectSystem = "strict";
+          ReadWritePaths = cfg.recordingsDir;
+          RemoveIPC = true;
+          RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
+          SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
+          UMask = "0077";
         }
       ];
     };
author	Robert Hensing <roberth@users.noreply.github.com>	2022-04-28 10:52:00 +0200
committer	GitHub <noreply@github.com>	2022-04-28 10:52:00 +0200
commit	527457cadc8101e269f6952d8088f537e3bd48e1 (patch)
tree	68c31c1dd41c8bee5a90b50b0cdf801d8a0ed05c /nixos/modules/services
parent	c55ce6c9bb872edfcae372f85f05bb3018ee4fce (diff)
parent	92349ece0f0e0c68df7388066dc24e66a6e22cdf (diff)
download	nixpkgs-527457cadc8101e269f6952d8088f537e3bd48e1.tar nixpkgs-527457cadc8101e269f6952d8088f537e3bd48e1.tar.gz nixpkgs-527457cadc8101e269f6952d8088f537e3bd48e1.tar.bz2 nixpkgs-527457cadc8101e269f6952d8088f537e3bd48e1.tar.lz nixpkgs-527457cadc8101e269f6952d8088f537e3bd48e1.tar.xz nixpkgs-527457cadc8101e269f6952d8088f537e3bd48e1.tar.zst nixpkgs-527457cadc8101e269f6952d8088f537e3bd48e1.zip