felixalb/pvv-nixos-config
1
0
Fork 0
mirror of https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git synced 2026-06-18 10:29:13 +02:00
Code Issues Projects Releases Wiki Activity

temmie/userweb: further harden log-processor

Browse Source
This commit is contained in:
h7x4
2026-06-17 12:31:02 +09:00
parent 75f87ffab8
commit 89921b533b
1 changed files with 6 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
hosts/temmie/services/userweb/log-processor.nix
+6 -4
View File
@@ -43,11 +43,12 @@ in
IPAddressDeny = "any"; IPAddressDeny = "any";
LockPersonality = true; LockPersonality = true;
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true; PrivateDevices = true;
PrivateNetwork = true;
PrivateIPC = true; PrivateIPC = true;
PrivateNetwork = true;
PrivateTmp = true; PrivateTmp = true;
# PrivateUsers = true; PrivateUsers = false;
ProcSubset = "pid"; ProcSubset = "pid";
ProtectClock = true; ProtectClock = true;
ProtectControlGroups = true; ProtectControlGroups = true;
@@ -55,11 +56,11 @@ in
ProtectHostname = true; ProtectHostname = true;
ProtectKernelLogs = true; ProtectKernelLogs = true;
ProtectKernelModules = true; ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible"; ProtectProc = "invisible";
ProtectSystem = "strict"; ProtectSystem = "strict";
ProtectKernelTunables = true;
RemoveIPC = true; RemoveIPC = true;
RestrictAddressFamilies = [ "" ]; RestrictAddressFamilies = [ "none" ];
RestrictNamespaces = true; RestrictNamespaces = true;
RestrictRealtime = true; RestrictRealtime = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
@@ -68,6 +69,7 @@ in
SystemCallFilter = [ SystemCallFilter = [
"@system-service" "@system-service"
"@setuid" "@setuid"
"~@resources"
]; ];
UMask = "0077"; UMask = "0077";