diff options
author | Jörg Thalheim <Mic92@users.noreply.github.com> | 2020-05-13 10:34:02 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-05-13 10:34:02 +0100 |
commit | 6c437ef1bb71268feaf0878c93ffda8522a11704 (patch) | |
tree | cbee6f4189efcc1e8beefbc065b08ec05222f880 /nixos/modules | |
parent | 42c85f251da799548a9d0f445b981ee22733d68c (diff) | |
parent | 94391fce1d5c4580482271c2b49ecffdef38b017 (diff) | |
download | nixlib-6c437ef1bb71268feaf0878c93ffda8522a11704.tar nixlib-6c437ef1bb71268feaf0878c93ffda8522a11704.tar.gz nixlib-6c437ef1bb71268feaf0878c93ffda8522a11704.tar.bz2 nixlib-6c437ef1bb71268feaf0878c93ffda8522a11704.tar.lz nixlib-6c437ef1bb71268feaf0878c93ffda8522a11704.tar.xz nixlib-6c437ef1bb71268feaf0878c93ffda8522a11704.tar.zst nixlib-6c437ef1bb71268feaf0878c93ffda8522a11704.zip |
Merge pull request #85567 from Izorkin/nginx-sandbox
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/services/web-servers/nginx/default.nix | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 1e9cda7e4785..312d2b0a21a7 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -463,6 +463,14 @@ in ''; }; + enableSandbox = mkOption { + default = false; + type = types.bool; + description = '' + Starting Nginx web server with additional sandbox/hardening options. + ''; + }; + user = mkOption { type = types.str; default = "nginx"; @@ -710,6 +718,27 @@ in LogsDirectoryMode = "0750"; # Capabilities AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ]; + # Security + NoNewPrivileges = true; + } // optionalAttrs cfg.enableSandbox { + # Sandboxing + ProtectSystem = "strict"; + ProtectHome = mkDefault true; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ]; + LockPersonality = true; + MemoryDenyWriteExecute = !(builtins.any (mod: (mod.allowMemoryWriteExecute or false)) pkgs.nginx.modules); + RestrictRealtime = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + # System Call Filtering + SystemCallArchitectures = "native"; }; }; |