talexander/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Releases Activity

nixos/anubis: Apply some more hardening settings

Browse Source 
Signed-off-by: Felix Singer <felixsinger@posteo.net>
This commit is contained in:
Felix Singer 2025-05-23 07:10:15 +02:00
parent c9b1eb70c6
commit 959c8e9311
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
nixos/modules/services/networking/anubis.nix
View File

@ -299,7 +299,8 @@ in
]; ];
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
AmbientCapabilities = "";
PrivateMounts = true;
PrivateUsers = true; PrivateUsers = true;
PrivateTmp = true; PrivateTmp = true;
PrivateDevices = true; PrivateDevices = true;
@ -313,6 +314,7 @@ in
ProtectSystem = "strict"; ProtectSystem = "strict";
ProtectControlGroups = "strict"; ProtectControlGroups = "strict";
LockPersonality = true; LockPersonality = true;
RemoveIPC = true;
RestrictRealtime = true; RestrictRealtime = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
RestrictNamespaces = true; RestrictNamespaces = true;