diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2016-09-01 18:53:06 +0200 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2016-09-15 15:37:20 +0200 |
commit | 5dc60051fa7f6e79781c146ae61c0dd8f92e7e10 (patch) | |
tree | e1af377d1e96e346346b27838ad2d3ca8c824233 /nixos | |
parent | 39f5182a30cd9eec3ce5bbf30fd1d5ae04126d89 (diff) | |
download | nixlib-5dc60051fa7f6e79781c146ae61c0dd8f92e7e10.tar nixlib-5dc60051fa7f6e79781c146ae61c0dd8f92e7e10.tar.gz nixlib-5dc60051fa7f6e79781c146ae61c0dd8f92e7e10.tar.bz2 nixlib-5dc60051fa7f6e79781c146ae61c0dd8f92e7e10.tar.lz nixlib-5dc60051fa7f6e79781c146ae61c0dd8f92e7e10.tar.xz nixlib-5dc60051fa7f6e79781c146ae61c0dd8f92e7e10.tar.zst nixlib-5dc60051fa7f6e79781c146ae61c0dd8f92e7e10.zip |
unbound service: some pre-chroot isolation
While entering the chroot should provide the same amount of isolation, the preStart script will run with full root privileges and so would benefit from some isolation as well (in particular due to unbound-anchor, which can perform network I/O).
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/networking/unbound.nix | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/unbound.nix b/nixos/modules/services/networking/unbound.nix index c7a4eb6060c0..828b8e175569 100644 --- a/nixos/modules/services/networking/unbound.nix +++ b/nixos/modules/services/networking/unbound.nix @@ -122,6 +122,10 @@ in serviceConfig = { ExecStart = "${pkgs.unbound}/bin/unbound -d -c ${stateDir}/unbound.conf"; ExecStopPost="${pkgs.utillinux}/bin/umount ${stateDir}/dev/random"; + + ProtectSystem = true; + ProtectHome = true; + PrivateDevices = true; }; }; |