diff options
| author | Janne Heß <janne@hess.ooo> | 2019-06-10 09:50:04 +0200 |
|---|---|---|
| committer | Janne Heß <janne@hess.ooo> | 2019-06-10 09:50:04 +0200 |
| commit | c0e5acb16dece02c6e8f8f3090949ae2b7b45d03 (patch) | |
| tree | 0f8cd28d5e0bd24894cf8fd4d9b7f5e039986821 | |
| parent | 80b51d983ae77f47910ba26305023efbfdb62e91 (diff) | |
| download | nixlib-c0e5acb16dece02c6e8f8f3090949ae2b7b45d03.tar nixlib-c0e5acb16dece02c6e8f8f3090949ae2b7b45d03.tar.gz nixlib-c0e5acb16dece02c6e8f8f3090949ae2b7b45d03.tar.bz2 nixlib-c0e5acb16dece02c6e8f8f3090949ae2b7b45d03.tar.lz nixlib-c0e5acb16dece02c6e8f8f3090949ae2b7b45d03.tar.xz nixlib-c0e5acb16dece02c6e8f8f3090949ae2b7b45d03.tar.zst nixlib-c0e5acb16dece02c6e8f8f3090949ae2b7b45d03.zip | |
nixos/memcached: Isolate the service
memcached is (as the name suggests) an in-memory database so FS access is not required.
| -rw-r--r-- | nixos/modules/services/databases/memcached.nix | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/nixos/modules/services/databases/memcached.nix b/nixos/modules/services/databases/memcached.nix index 052ff1f308eb..f9e403dfc0c2 100644 --- a/nixos/modules/services/databases/memcached.nix +++ b/nixos/modules/services/databases/memcached.nix @@ -86,7 +86,25 @@ in in "${memcached}/bin/memcached ${networking} -m ${toString cfg.maxMemory} -c ${toString cfg.maxConnections} ${concatStringsSep " " cfg.extraOptions}"; User = cfg.user; + + # Filesystem access + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; RuntimeDirectory = "memcached"; + # Caps + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + # Misc. + LockPersonality = true; + RestrictRealtime = true; + PrivateMounts = true; + PrivateUsers = true; + MemoryDenyWriteExecute = true; }; }; }; |