diff options
| author | Izorkin <izorkin@elven.pw> | 2020-04-13 16:57:47 +0300 |
|---|---|---|
| committer | Izorkin <izorkin@elven.pw> | 2020-05-12 20:03:27 +0300 |
| commit | 628354c686e5ea5bb997ca9d387c68d62f89e787 (patch) | |
| tree | 5324dc5767eb5dc3e82a0ddca3b39a5db3b66705 /nixos/modules/services/web-servers | |
| parent | 90c0191735bc729acd36e4ba72ef3ffd88f679c6 (diff) | |
| download | nixlib-628354c686e5ea5bb997ca9d387c68d62f89e787.tar nixlib-628354c686e5ea5bb997ca9d387c68d62f89e787.tar.gz nixlib-628354c686e5ea5bb997ca9d387c68d62f89e787.tar.bz2 nixlib-628354c686e5ea5bb997ca9d387c68d62f89e787.tar.lz nixlib-628354c686e5ea5bb997ca9d387c68d62f89e787.tar.xz nixlib-628354c686e5ea5bb997ca9d387c68d62f89e787.tar.zst nixlib-628354c686e5ea5bb997ca9d387c68d62f89e787.zip | |
nixos/nginx: enable sandboxing
Diffstat (limited to 'nixos/modules/services/web-servers')
| -rw-r--r-- | nixos/modules/services/web-servers/nginx/default.nix | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 1e9cda7e4785..16c56dc745f9 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -710,6 +710,26 @@ in LogsDirectoryMode = "0750"; # Capabilities AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; + # Security + NoNewPrivileges = true; + # Sandboxing + ProtectSystem = "strict"; + ProtectHome = mkDefault true; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + LockPersonality = true; + MemoryDenyWriteExecute = mkDefault true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + # System Call Filtering + SystemCallArchitectures = "native"; }; }; |