dnscrypt-proxy service: additional hardening

Run the daemon with private /home and /run/user to prevent it from enumerating users on the system.
author: Joachim Fasting <joachifm@fastmail.fm> 2016-03-23 20:42:01 +0100
committer: Joachim Fasting <joachifm@fastmail.fm> 2016-03-24 17:14:22 +0100
commit: 03bdf8f03cbc9157bd04aa786d366bdbb2acd234 (patch)
tree: 54b1ebf3ab8f31d59c22946b68f1080e66cbed2a
parent: 4001917359db57b75662581e55d33e38fa60bc2d (diff)
download: nixlib-03bdf8f03cbc9157bd04aa786d366bdbb2acd234.tar
nixlib-03bdf8f03cbc9157bd04aa786d366bdbb2acd234.tar.gz
nixlib-03bdf8f03cbc9157bd04aa786d366bdbb2acd234.tar.bz2
nixlib-03bdf8f03cbc9157bd04aa786d366bdbb2acd234.tar.lz
nixlib-03bdf8f03cbc9157bd04aa786d366bdbb2acd234.tar.xz
nixlib-03bdf8f03cbc9157bd04aa786d366bdbb2acd234.tar.zst
nixlib-03bdf8f03cbc9157bd04aa786d366bdbb2acd234.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/dnscrypt-proxy.nix b/nixos/modules/services/networking/dnscrypt-proxy.nix
index e6204a387bda..3d5ce7b9d5ce 100644
--- a/nixos/modules/services/networking/dnscrypt-proxy.nix
+++ b/nixos/modules/services/networking/dnscrypt-proxy.nix
@@ -204,6 +204,7 @@ in
 
         PrivateTmp = true;
         PrivateDevices = true;
+        ProtectHome = true;
       };
     };
   };
author	Joachim Fasting <joachifm@fastmail.fm>	2016-03-23 20:42:01 +0100
committer	Joachim Fasting <joachifm@fastmail.fm>	2016-03-24 17:14:22 +0100
commit	03bdf8f03cbc9157bd04aa786d366bdbb2acd234 (patch)
tree	54b1ebf3ab8f31d59c22946b68f1080e66cbed2a
parent	4001917359db57b75662581e55d33e38fa60bc2d (diff)
download	nixlib-03bdf8f03cbc9157bd04aa786d366bdbb2acd234.tar nixlib-03bdf8f03cbc9157bd04aa786d366bdbb2acd234.tar.gz nixlib-03bdf8f03cbc9157bd04aa786d366bdbb2acd234.tar.bz2 nixlib-03bdf8f03cbc9157bd04aa786d366bdbb2acd234.tar.lz nixlib-03bdf8f03cbc9157bd04aa786d366bdbb2acd234.tar.xz nixlib-03bdf8f03cbc9157bd04aa786d366bdbb2acd234.tar.zst nixlib-03bdf8f03cbc9157bd04aa786d366bdbb2acd234.zip