From e5d049e46978ccdcf114852d161be66224351724 Mon Sep 17 00:00:00 2001
From: Will Dietz <w@wdtz.org>
Date: Tue, 7 May 2019 22:53:09 -0500
Subject: rngd: harden service config, from arch

---
 nixos/modules/security/rngd.nix | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'nixos/modules')

diff --git a/nixos/modules/security/rngd.nix b/nixos/modules/security/rngd.nix
index 60361d9960ed..d9d6d9c9f253 100644
--- a/nixos/modules/security/rngd.nix
+++ b/nixos/modules/security/rngd.nix
@@ -42,6 +42,11 @@ in
       serviceConfig = {
         ExecStart = "${pkgs.rng-tools}/sbin/rngd -f"
           + optionalString cfg.debug " -d";
+        NoNewPrivileges = true;
+        PrivateNetwork = true;
+        PrivateTmp = true;
+        ProtectSystem = "full";
+        ProtectHome = true;
       };
     };
   };
-- 
cgit 1.4.1