diff options
| author | Will Dietz <w@wdtz.org> | 2018-10-12 16:41:53 -0500 |
|---|---|---|
| committer | Will Dietz <w@wdtz.org> | 2018-10-29 08:09:52 -0500 |
| commit | d7e4c49ffc4c3879bc2edb287f0758c17b0e00e3 (patch) | |
| tree | 4285f62cfe90327ab7583b4eb3cc4f3eb43e297f | |
| parent | b5bac7d8a8c155a7b1fe1f3868fd876125e02086 (diff) | |
| download | nixlib-d7e4c49ffc4c3879bc2edb287f0758c17b0e00e3.tar nixlib-d7e4c49ffc4c3879bc2edb287f0758c17b0e00e3.tar.gz nixlib-d7e4c49ffc4c3879bc2edb287f0758c17b0e00e3.tar.bz2 nixlib-d7e4c49ffc4c3879bc2edb287f0758c17b0e00e3.tar.lz nixlib-d7e4c49ffc4c3879bc2edb287f0758c17b0e00e3.tar.xz nixlib-d7e4c49ffc4c3879bc2edb287f0758c17b0e00e3.tar.zst nixlib-d7e4c49ffc4c3879bc2edb287f0758c17b0e00e3.zip | |
nixos/upower: lockdown service using upstream settings
| -rw-r--r-- | nixos/modules/services/hardware/upower.nix | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/nixos/modules/services/hardware/upower.nix b/nixos/modules/services/hardware/upower.nix index 2198842a4511..1da47349c077 100644 --- a/nixos/modules/services/hardware/upower.nix +++ b/nixos/modules/services/hardware/upower.nix @@ -56,6 +56,32 @@ in { Type = "dbus"; BusName = "org.freedesktop.UPower"; ExecStart = "@${cfg.package}/libexec/upowerd upowerd"; + Restart = "on-failure"; + # Upstream lockdown: + # Filesystem lockdown + ProtectSystem = "strict"; + # Needed by keyboard backlight support + ProtectKernelTunables = false; + ProtectControlGroups = true; + ReadWritePaths = "/var/lib/upower"; + ProtectHome = true; + PrivateTmp = true; + + # Network + # PrivateNetwork=true would block udev's netlink socket + RestrictAddressFamilies = "AF_UNIX AF_NETLINK"; + + # Execute Mappings + MemoryDenyWriteExecute = true; + + # Modules + ProtectKernelModules = true; + + # Real-time + RestrictRealtime = true; + + # Privilege escalation + NoNewPrivileges = true; }; }; |