diff options
| author | Martin Weinelt <hexa@darmstadt.ccc.de> | 2020-09-18 01:53:52 +0200 |
|---|---|---|
| committer | Martin Weinelt <hexa@darmstadt.ccc.de> | 2020-10-21 12:26:02 +0200 |
| commit | c821e0d4be2b4ebc8e1eebca6eb11211a371a43e (patch) | |
| tree | 363887c6dba68330fceb122e540e702fc06a3a56 /nixos | |
| parent | e25cd7827e8ba24d50bdc9e69b63d8239099ec6d (diff) | |
| download | nixpkgs-c821e0d4be2b4ebc8e1eebca6eb11211a371a43e.tar nixpkgs-c821e0d4be2b4ebc8e1eebca6eb11211a371a43e.tar.gz nixpkgs-c821e0d4be2b4ebc8e1eebca6eb11211a371a43e.tar.bz2 nixpkgs-c821e0d4be2b4ebc8e1eebca6eb11211a371a43e.tar.lz nixpkgs-c821e0d4be2b4ebc8e1eebca6eb11211a371a43e.tar.xz nixpkgs-c821e0d4be2b4ebc8e1eebca6eb11211a371a43e.tar.zst nixpkgs-c821e0d4be2b4ebc8e1eebca6eb11211a371a43e.zip | |
nixos/babeld: lock down service
→ Overall exposure level for babeld.service: 2.2 OK 🙂
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/networking/babeld.nix | 34 |
1 files changed, 31 insertions, 3 deletions
diff --git a/nixos/modules/services/networking/babeld.nix b/nixos/modules/services/networking/babeld.nix index e62c74d0069..90395dbd3c5 100644 --- a/nixos/modules/services/networking/babeld.nix +++ b/nixos/modules/services/networking/babeld.nix @@ -87,9 +87,37 @@ in description = "Babel routing daemon"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; - serviceConfig.ExecStart = "${pkgs.babeld}/bin/babeld -c ${configFile}"; + serviceConfig = { + ExecStart = "${pkgs.babeld}/bin/babeld -c ${configFile} -I /run/babeld/babeld.pid -S /var/lib/babeld/state"; + CapabilityBoundingSet = [ "CAP_NET_ADMIN" ]; + IPAddressAllow = [ "fe80::/64" "ff00::/8" "::1/128" "127.0.0.0/8" ]; + IPAddressDeny = "any"; + LockPersonality = true; + NoNewPrivileges = true; + MemoryDenyWriteExecute = true; + ProtectSystem = "strict"; + ProtectClock = true; + ProtectKernelTunables = false; # Couldn't write sysctl: Read-only file system + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RemoveIPC = true; + ProtectHome = true; + ProtectHostname = true; + PrivateMounts = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = false; # kernel_route(ADD): Operation not permitted + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" ]; + UMask = "0177"; + RuntimeDirectory = "babeld"; + StateDirectory = "babeld"; + }; }; - }; - } |