From 2eddcca425de085f5f193d7d61ebb426edcb77cc Mon Sep 17 00:00:00 2001
From: Andrey Golovizin <ag@sologoc.com>
Date: Tue, 10 Mar 2020 23:31:51 +0100
Subject: [PATCH] Harden the systemd service even more

---
 module.nix | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/module.nix b/module.nix
index a1a1f5a..29c0aed 100644
--- a/module.nix
+++ b/module.nix
@@ -90,17 +90,23 @@ in
         ExecStartPre = "${strojnadzor}/bin/strojnadzor-admin migrate";
         ExecStart = "${strojnadzor}/bin/strojnadzor-admin runserver-gunicorn";
         StateDirectory = "strojnadzor";
+        CapabilityBoundingSet = "";
         LockPersonality = true;
         NoNewPrivileges = true;
         PrivateDevices = true;
-        RestrictNamespaces = true;
+        # PrivateNetwork = true;
         PrivateTmp = true;
+        PrivateUsers = true;
         ProtectControlGroups = true;
         ProtectHome = true;
         ProtectKernelModules = true;
         ProtectKernelTunables = true;
         ProtectSystem = "strict";
+        RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
+        RestrictNamespaces = true;
         RestrictSUIDSGID = true;
+        SystemCallErrorNumber = "EPERM";
+        SystemCallFilter = "@system-service";
       };
       environment.STROJNADZOR_DATA_DIR = "${cfg.stateDir}";
     };