Harden the systemd service even more

2020-03-10 23:31:51 +01:00 · 2020-03-10 23:31:51 +01:00 · 2eddcca425
commit 2eddcca425
parent 43f9ae1311
1 changed files with 7 additions and 1 deletions
--- a/module.nix
+++ b/module.nix
@ -90,17 +90,23 @@ in
        ExecStartPre = "${strojnadzor}/bin/strojnadzor-admin migrate";
        ExecStart = "${strojnadzor}/bin/strojnadzor-admin runserver-gunicorn";
        StateDirectory = "strojnadzor";
+        CapabilityBoundingSet = "";
        LockPersonality = true;
        NoNewPrivileges = true;
        PrivateDevices = true;
-        RestrictNamespaces = true;
+        # PrivateNetwork = true;
        PrivateTmp = true;
+        PrivateUsers = true;
        ProtectControlGroups = true;
        ProtectHome = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        ProtectSystem = "strict";
+        RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
+        RestrictNamespaces = true;
        RestrictSUIDSGID = true;
+        SystemCallErrorNumber = "EPERM";
+        SystemCallFilter = "@system-service";
      };
      environment.STROJNADZOR_DATA_DIR = "${cfg.stateDir}";
    };