ag/strojnadzor
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Harden the systemd service even more

Browse source
This commit is contained in:
Andrey Golovizin 2020-03-10 23:31:51 +01:00
parent 43f9ae1311
commit 2eddcca425
1 changed files with 7 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

8
module.nix
View file

@ -90,17 +90,23 @@ in
ExecStartPre = "${strojnadzor}/bin/strojnadzor-admin migrate"; ExecStartPre = "${strojnadzor}/bin/strojnadzor-admin migrate";
ExecStart = "${strojnadzor}/bin/strojnadzor-admin runserver-gunicorn"; ExecStart = "${strojnadzor}/bin/strojnadzor-admin runserver-gunicorn";
StateDirectory = "strojnadzor"; StateDirectory = "strojnadzor";
CapabilityBoundingSet = "";
LockPersonality = true; LockPersonality = true;
NoNewPrivileges = true; NoNewPrivileges = true;
PrivateDevices = true; PrivateDevices = true;
RestrictNamespaces = true; # PrivateNetwork = true;
PrivateTmp = true; PrivateTmp = true;
PrivateUsers = true;
ProtectControlGroups = true; ProtectControlGroups = true;
ProtectHome = true; ProtectHome = true;
ProtectKernelModules = true; ProtectKernelModules = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;
ProtectSystem = "strict"; ProtectSystem = "strict";
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
SystemCallErrorNumber = "EPERM";
SystemCallFilter = "@system-service";
}; };
environment.STROJNADZOR_DATA_DIR = "${cfg.stateDir}"; environment.STROJNADZOR_DATA_DIR = "${cfg.stateDir}";
}; };