From 40c923aa13806beae85966bf063bd865812fefa8 Mon Sep 17 00:00:00 2001
From: Mads Mogensen <mail@madsmogensen.dk>
Date: Sat, 17 Jun 2023 11:32:42 +0200
Subject: davmail: enable sandboxing options
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The output from `systemd-analyze security davmail`:
Before: `Overall exposure level for davmail.service: 8.2 EXPOSED 🙁`
After: `Overall exposure level for davmail.service: 1.3 OK 🙂`
---
 nixos/modules/services/mail/davmail.nix | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

(limited to 'nixos/modules/services/mail')

diff --git a/nixos/modules/services/mail/davmail.nix b/nixos/modules/services/mail/davmail.nix
index 483f591a7268..9cdb435af4a1 100644
--- a/nixos/modules/services/mail/davmail.nix
+++ b/nixos/modules/services/mail/davmail.nix
@@ -91,6 +91,33 @@ in
           Restart = "on-failure";
           DynamicUser = "yes";
           LogsDirectory = "davmail";
+
+          CapabilityBoundingSet = [ "" ];
+          DeviceAllow = [ "" ];
+          LockPersonality = true;
+          NoNewPrivileges = true;
+          PrivateDevices = true;
+          PrivateTmp = true;
+          PrivateUsers = true;
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectSystem = "strict";
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectProc = "invisible";
+          RemoveIPC = true;
+          RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
+          SystemCallFilter = "@system-service";
+          SystemCallErrorNumber = "EPERM";
+          UMask = "0077";
+
         };
       };
 
-- 
cgit 1.4.1