From 43f9ae13119b72fed30b0efbb524ad71091b1d38 Mon Sep 17 00:00:00 2001
From: Andrey Golovizin <ag@sologoc.com>
Date: Tue, 10 Mar 2020 22:51:21 +0100
Subject: [PATCH] Harden the systemd service

---
 module.nix | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/module.nix b/module.nix
index f94ee5e..a1a1f5a 100644
--- a/module.nix
+++ b/module.nix
@@ -90,6 +90,17 @@ in
         ExecStartPre = "${strojnadzor}/bin/strojnadzor-admin migrate";
         ExecStart = "${strojnadzor}/bin/strojnadzor-admin runserver-gunicorn";
         StateDirectory = "strojnadzor";
+        LockPersonality = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        RestrictNamespaces = true;
+        PrivateTmp = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
+        RestrictSUIDSGID = true;
       };
       environment.STROJNADZOR_DATA_DIR = "${cfg.stateDir}";
     };