nixos/echoip: improve systemd hardening

2025-03-06 02:01:23 +01:00 · 2025-03-06 02:01:23 +01:00 · eccf638822
commit eccf638822
parent 110b3af97a
1 changed files with 13 additions and 6 deletions
--- a/nixos/modules/services/web-apps/echoip.nix
+++ b/nixos/modules/services/web-apps/echoip.nix
@ -75,9 +75,12 @@ in
        );
        # Hardening
        AmbientCapabilities = "";
        CapabilityBoundingSet = [ "" ];
-        DeviceAllow = [ "" ];
+        DevicePolicy = "closed";
        LockPersonality = true;
        MemoryDenyWriteExecute = true;
        NoNewPrivileges = true;
        PrivateDevices = true;
        PrivateTmp = true;
        PrivateUsers = true;
@ -91,15 +94,19 @@ in
        ProtectKernelTunables = true;
        ProtectProc = "invisible";
        ProtectSystem = "strict";
-        RestrictAddressFamilies = [
+        RemoveIPC = true;
-          "AF_INET"
+        RestrictAddressFamilies = [ "AF_INET AF_INET6 AF_UNIX" ];
          "AF_INET6"
          "AF_UNIX"
        ];
        RestrictNamespaces = true;
        RestrictRealtime = true;
        RestrictSUIDSGID = true;
        SystemCallArchitectures = "native";
        SystemCallFilter = [
          "@system-service"
          "~@privileged"
          "~@resources"
          "setrlimit"
        ];
        UMask = "0077";
      };
    };