robin/mitemp-prometheus
1
0
Fork 0
mirror of https://codeberg.org/icewind/mitemp-prometheus.git synced 2026-06-03 09:04:13 +02:00
Code Issues Projects Releases Packages Wiki Activity

lockdown module a bit more

Browse source
This commit is contained in:
Robin Appelman 2024-11-17 22:11:42 +01:00
commit eef5b4ff4b
1 changed files with 10 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

11
module.nix
View file

@ -71,11 +71,20 @@ in
RestrictAddressFamilies = [ "AF_UNIX" ]; RestrictAddressFamilies = [ "AF_UNIX" ];
RuntimeDirectory = "mitemp"; RuntimeDirectory = "mitemp";
RestrictRealtime = true; RestrictRealtime = true;
ProtectProc = "noaccess"; ProtectProc = "invisible";
SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ]; SystemCallFilter = [ "@system-service" "~@resources" "~@privileged" ];
IPAddressDeny = "any"; IPAddressDeny = "any";
PrivateUsers = true; PrivateUsers = true;
ProcSubset = "pid"; ProcSubset = "pid";
RemoveIPC = true;
PrivateDevices = true;
RestrictSUIDSGID = true;
BindPaths = [ "/run/dbus" ];
};
confinement = {
enable = true;
binSh = null;
}; };
}; };
}; };