mirror of
https://github.com/SebastianWendel/nixpkgs.git
synced 2024-09-21 12:59:04 +02:00
nixos/prosody: leverage systemd sandbox features to harden service
We are leveraging the systemd sandboxing features to prevent the service accessing locations it shouldn't do. Most notably, we are here preventing the prosody service from accessing /home and providing it with a private /dev and /tmp. Please consult man systemd.exec for further informations.
This commit is contained in:
parent
8aea528872
commit
353a8b58e6
|
@ -856,6 +856,19 @@ in
|
|||
PIDFile = "/run/prosody/prosody.pid";
|
||||
ExecStart = "${cfg.package}/bin/prosodyctl start";
|
||||
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
||||
|
||||
MemoryDenyWriteExecute = true;
|
||||
PrivateDevices = true;
|
||||
PrivateMounts = true;
|
||||
PrivateTmp = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
};
|
||||
};
|
||||
|
||||
|
|
Loading…
Reference in a new issue