diff options
author | Marek Mahut <marek.mahut@gmail.com> | 2019-08-13 08:56:34 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-08-13 08:56:34 +0200 |
commit | 4754ca7d2ee695d660a1dbfc3f8e879306b01bcf (patch) | |
tree | 2fc93d53d95e03d2a2f82dc7af8c1468344dabc0 | |
parent | 8746c77a383f5c76153c7a181f3616d273acfa2a (diff) | |
parent | c0e5acb16dece02c6e8f8f3090949ae2b7b45d03 (diff) | |
download | nixlib-4754ca7d2ee695d660a1dbfc3f8e879306b01bcf.tar nixlib-4754ca7d2ee695d660a1dbfc3f8e879306b01bcf.tar.gz nixlib-4754ca7d2ee695d660a1dbfc3f8e879306b01bcf.tar.bz2 nixlib-4754ca7d2ee695d660a1dbfc3f8e879306b01bcf.tar.lz nixlib-4754ca7d2ee695d660a1dbfc3f8e879306b01bcf.tar.xz nixlib-4754ca7d2ee695d660a1dbfc3f8e879306b01bcf.tar.zst nixlib-4754ca7d2ee695d660a1dbfc3f8e879306b01bcf.zip |
Merge pull request #62936 from dasJ/sandbox-memcached
nixos/memcached: Isolate the service
-rw-r--r-- | nixos/modules/services/databases/memcached.nix | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/nixos/modules/services/databases/memcached.nix b/nixos/modules/services/databases/memcached.nix index 052ff1f308eb..f9e403dfc0c2 100644 --- a/nixos/modules/services/databases/memcached.nix +++ b/nixos/modules/services/databases/memcached.nix @@ -86,7 +86,25 @@ in in "${memcached}/bin/memcached ${networking} -m ${toString cfg.maxMemory} -c ${toString cfg.maxConnections} ${concatStringsSep " " cfg.extraOptions}"; User = cfg.user; + + # Filesystem access + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; RuntimeDirectory = "memcached"; + # Caps + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + # Misc. + LockPersonality = true; + RestrictRealtime = true; + PrivateMounts = true; + PrivateUsers = true; + MemoryDenyWriteExecute = true; }; }; }; |