felixalb/pvv-nixos-config
1
0
Fork 0
mirror of https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git synced 2026-06-18 10:29:13 +02:00
Code Issues Projects Releases Wiki Activity

temmie/userweb: further harden log-processor

Browse Source
This commit is contained in:
h7x4
2026-06-17 12:31:02 +09:00
parent 75f87ffab8
commit 89921b533b
1 changed files with 6 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
hosts/temmie/services/userweb/log-processor.nix
+6 -4
View File
@@ -43,11 +43,12 @@ in
IPAddressDeny = "any";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateNetwork = true;
PrivateIPC = true;
PrivateNetwork = true;
PrivateTmp = true;
# PrivateUsers = true;
PrivateUsers = false;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
@@ -55,11 +56,11 @@ in
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
ProtectKernelTunables = true;
RemoveIPC = true;
RestrictAddressFamilies = [ "" ];
RestrictAddressFamilies = [ "none" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
@@ -68,6 +69,7 @@ in
SystemCallFilter = [
"@system-service"
"@setuid"
"~@resources"
];
UMask = "0077";