diff options
author | Mads Mogensen <mail@madsmogensen.dk> | 2023-06-17 11:32:42 +0200 |
---|---|---|
committer | Mads Mogensen <mail@madsmogensen.dk> | 2023-06-17 11:32:42 +0200 |
commit | 40c923aa13806beae85966bf063bd865812fefa8 (patch) | |
tree | 25c8f06b5a3bf791d69fa577839b09716e97d562 /nixos/modules/services | |
parent | 7096fc814bc533148bbf4e6df970c7470850d8de (diff) | |
download | nixlib-40c923aa13806beae85966bf063bd865812fefa8.tar nixlib-40c923aa13806beae85966bf063bd865812fefa8.tar.gz nixlib-40c923aa13806beae85966bf063bd865812fefa8.tar.bz2 nixlib-40c923aa13806beae85966bf063bd865812fefa8.tar.lz nixlib-40c923aa13806beae85966bf063bd865812fefa8.tar.xz nixlib-40c923aa13806beae85966bf063bd865812fefa8.tar.zst nixlib-40c923aa13806beae85966bf063bd865812fefa8.zip |
davmail: enable sandboxing options
The output from `systemd-analyze security davmail`: Before: `Overall exposure level for davmail.service: 8.2 EXPOSED 🙁` After: `Overall exposure level for davmail.service: 1.3 OK 🙂`
Diffstat (limited to 'nixos/modules/services')
-rw-r--r-- | nixos/modules/services/mail/davmail.nix | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/nixos/modules/services/mail/davmail.nix b/nixos/modules/services/mail/davmail.nix index 483f591a7268..9cdb435af4a1 100644 --- a/nixos/modules/services/mail/davmail.nix +++ b/nixos/modules/services/mail/davmail.nix @@ -91,6 +91,33 @@ in Restart = "on-failure"; DynamicUser = "yes"; LogsDirectory = "davmail"; + + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "" ]; + LockPersonality = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectSystem = "strict"; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; + SystemCallErrorNumber = "EPERM"; + UMask = "0077"; + }; }; |