diff options
author | Félix Baylac-Jacqué <felix@alternativebit.fr> | 2020-04-26 15:18:49 +0200 |
---|---|---|
committer | Félix Baylac-Jacqué <felix@alternativebit.fr> | 2020-04-30 20:40:00 +0200 |
commit | 353a8b58e6b12daf2977870743a6dd85ee080448 (patch) | |
tree | 1e4b09b7ceeb47a739a22fb7e664364ab7c1a4cf /nixos | |
parent | 8aea5288725688f7f71bf12c8ee1bb83147b22c6 (diff) | |
download | nixlib-353a8b58e6b12daf2977870743a6dd85ee080448.tar nixlib-353a8b58e6b12daf2977870743a6dd85ee080448.tar.gz nixlib-353a8b58e6b12daf2977870743a6dd85ee080448.tar.bz2 nixlib-353a8b58e6b12daf2977870743a6dd85ee080448.tar.lz nixlib-353a8b58e6b12daf2977870743a6dd85ee080448.tar.xz nixlib-353a8b58e6b12daf2977870743a6dd85ee080448.tar.zst nixlib-353a8b58e6b12daf2977870743a6dd85ee080448.zip |
nixos/prosody: leverage systemd sandbox features to harden service
We are leveraging the systemd sandboxing features to prevent the service accessing locations it shouldn't do. Most notably, we are here preventing the prosody service from accessing /home and providing it with a private /dev and /tmp. Please consult man systemd.exec for further informations.
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/networking/prosody.nix | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/prosody.nix b/nixos/modules/services/networking/prosody.nix index 8058172cb085..83e397e50fa0 100644 --- a/nixos/modules/services/networking/prosody.nix +++ b/nixos/modules/services/networking/prosody.nix @@ -856,6 +856,19 @@ in PIDFile = "/run/prosody/prosody.pid"; ExecStart = "${cfg.package}/bin/prosodyctl start"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + + MemoryDenyWriteExecute = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; }; }; |