Harden the systemd service

2020-03-10 22:51:21 +01:00 · 2020-03-10 22:51:21 +01:00 · 43f9ae1311
commit 43f9ae1311
parent 4d687b0d40
1 changed files with 11 additions and 0 deletions
--- a/module.nix
+++ b/module.nix
@ -90,6 +90,17 @@ in
        ExecStartPre = "${strojnadzor}/bin/strojnadzor-admin migrate";
        ExecStart = "${strojnadzor}/bin/strojnadzor-admin runserver-gunicorn";
        StateDirectory = "strojnadzor";
+        LockPersonality = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        RestrictNamespaces = true;
+        PrivateTmp = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
+        RestrictSUIDSGID = true;
      };
      environment.STROJNADZOR_DATA_DIR = "${cfg.stateDir}";
    };