further systemd sandboxing

2026-06-03 09:34:11 +02:00 · 2024-08-11 15:40:55 +02:00 · 2024-08-11 15:40:55 +02:00 · 0dfa47f921
commit 0dfa47f921
parent e87394e20b
2 changed files with 33 additions and 13 deletions
--- a/evtype.service
+++ b/evtype.service
@ -3,26 +3,38 @@ Description=EvType

 [Service]
 # restrict permissions as much as possible
+CapabilityBoundingSet=true
+DeviceAllow=/dev/uinput
+DeviceAllow=/dev/stdout
+DevicePolicy=strict
+IPAddressDeny=any
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateNetwork=true
+PrivateTmp=true
+PrivateUsers=true
+ProcSubset=pid
+ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
-ProtectKernelTunables=true
-ProtectSystem=strict
-RestrictSUIDSGID=true
-PrivateNetwork=true
-CapabilityBoundingSet=true
-RestrictNamespaces=true
-RestrictAddressFamilies=AF_UNIX
-PrivateUsers=true
-PrivateTmp=true
-ProtectKernelModules=true
+ProtectHostname=true
 ProtectKernelLogs=true
-NoNewPrivileges=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RuntimeDirectory=evtype
+SystemCallArchitectures=native
 SystemCallFilter=@system-service
 SystemCallFilter=~@resources
-MemoryDenyWriteExecute=true
-IPAddressDeny=any
-ReadWritePaths=/var/run
-RuntimeDirectory=evtype
+SystemCallFilter=~@privileged
+UMask=0077
+User=root

 ExecStart=/usr/bin/evtype_daemon

--- a/nix/module.nix
+++ b/nix/module.nix
@ -38,6 +38,12 @@ in {
        ProtectControlGroups = true;
        SystemCallArchitectures = "native";
        ProtectKernelModules = true;
+        RestrictSUIDSGID = true;
+        ProtectProc = "invisible";
+        ProcSubset = "pid";
+        PrivateUsers = true;
+        DevicePolicy = "strict";
+        DeviceAllow = ["/dev/uinput" "/dev/stdout"];
        RestrictNamespaces = true;
        MemoryDenyWriteExecute = true;
        ProtectHostname = true;
@ -46,8 +52,10 @@ in {
        RestrictAddressFamilies = ["AF_UNIX"];
        RestrictRealtime = true;
        SystemCallFilter = ["@system-service" "~@resources" "~@privileged"];
+        PrivateNetwork = true;
        IPAddressDeny = "any";
        RuntimeDirectory = "evtype";
+        UMask = "0077";
      };
    };
  };