summary refs log tree commit diff
path: root/nixos
diff options
context:
space:
mode:
authorIzorkin <izorkin@elven.pw>2021-04-03 23:00:48 +0300
committerIzorkin <izorkin@elven.pw>2021-04-12 12:37:49 +0300
commit061c913c366b339fd28b741ca2f56dacb64497f8 (patch)
tree0ff2dced564b6e9409e261316541f358ead01fa8 /nixos
parenta1c0d6ddbcb6d307d44b158d1056d15ad2bd05d0 (diff)
downloadnixpkgs-061c913c366b339fd28b741ca2f56dacb64497f8.tar
nixpkgs-061c913c366b339fd28b741ca2f56dacb64497f8.tar.gz
nixpkgs-061c913c366b339fd28b741ca2f56dacb64497f8.tar.bz2
nixpkgs-061c913c366b339fd28b741ca2f56dacb64497f8.tar.lz
nixpkgs-061c913c366b339fd28b741ca2f56dacb64497f8.tar.xz
nixpkgs-061c913c366b339fd28b741ca2f56dacb64497f8.tar.zst
nixpkgs-061c913c366b339fd28b741ca2f56dacb64497f8.zip
nixos/redis: enable sandbox mode
Diffstat (limited to 'nixos')
-rw-r--r--nixos/modules/services/databases/redis.nix26


1 files changed, 26 insertions, 0 deletions
diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix
index 3ddc7aad81e..24fe4ab3cc2 100644
--- a/nixos/modules/services/databases/redis.nix
+++ b/nixos/modules/services/databases/redis.nix
@@ -295,6 +295,32 @@ in
         StateDirectoryMode = "0700";
         # Access write directories
         UMask = "0077";
+        # Capabilities
+        CapabilityBoundingSet = "";
+        # Security
+        NoNewPrivileges = true;
+        # Sandboxing
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        PrivateTmp = true;
+        PrivateDevices = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectControlGroups = true;
+        RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
+        RestrictNamespaces = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        PrivateMounts = true;
+        # System Call Filtering
+        SystemCallArchitectures = "native";
+        SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @raw-io @reboot @resources @setuid @swap";
       };
     };
   };

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-27 16:43:14 +0000