diff options
author | 360ied <19516527+360ied@users.noreply.github.com> | 2024-02-02 09:34:43 -0500 |
---|---|---|
committer | 360ied <19516527+360ied@users.noreply.github.com> | 2024-02-04 21:23:34 -0500 |
commit | 11cf6ab0ddc050de98715d4b9353d9ac12f8c9cd (patch) | |
tree | 18940cdd14b4df456f57b4bc296650f443f44fa7 /nixos/modules/services | |
parent | b8b232ae7b8b144397fdb12d20f592e5e7c1a64d (diff) | |
download | nixlib-11cf6ab0ddc050de98715d4b9353d9ac12f8c9cd.tar nixlib-11cf6ab0ddc050de98715d4b9353d9ac12f8c9cd.tar.gz nixlib-11cf6ab0ddc050de98715d4b9353d9ac12f8c9cd.tar.bz2 nixlib-11cf6ab0ddc050de98715d4b9353d9ac12f8c9cd.tar.lz nixlib-11cf6ab0ddc050de98715d4b9353d9ac12f8c9cd.tar.xz nixlib-11cf6ab0ddc050de98715d4b9353d9ac12f8c9cd.tar.zst nixlib-11cf6ab0ddc050de98715d4b9353d9ac12f8c9cd.zip |
nixos/murmur: systemd service hardening
Murmur provides an official systemd service file in their repo, which contains various service hardening settings: https://github.com/mumble-voip/mumble/blob/c4b5858d141f76cce553be2f74dfc4291989fc9b/auxiliary_files/config_files/mumble-server.service.in#L7 The service configuration in nixpkgs does not include these hardening settings. This commit adds the hardening settings to the murmur service in nixpkgs. This drops the `systemd-analyze security` score of murmur.service from 9.2 (UNSAFE) to 2.1 (OK).
Diffstat (limited to 'nixos/modules/services')
-rw-r--r-- | nixos/modules/services/networking/murmur.nix | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/murmur.nix b/nixos/modules/services/networking/murmur.nix index 0cd80e134ace..5805f332a66f 100644 --- a/nixos/modules/services/networking/murmur.nix +++ b/nixos/modules/services/networking/murmur.nix @@ -326,6 +326,29 @@ in RuntimeDirectoryMode = "0700"; User = "murmur"; Group = "murmur"; + + # service hardening + AmbientCapabilities = "CAP_NET_BIND_SERVICE"; + CapabilityBoundingSet = "CAP_NET_BIND_SERVICE"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "full"; + RestrictAddressFamilies = "~AF_PACKET AF_NETLINK"; + RestrictNamespaces = true; + RestrictSUIDSGID = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; }; }; |