spiretf/dispenser
1
0
Fork 0
mirror of https://codeberg.org/spire/dispenser.git synced 2026-06-03 10:04:07 +02:00
Code Issues Projects Releases Packages Wiki Activity

lock down service more

Browse source
This commit is contained in:
Robin Appelman 2022-07-05 20:15:06 +02:00
commit 767092809a
1 changed files with 18 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

18
flake.nix
View file

@ -216,6 +216,24 @@
ProtectSystem = "full"; ProtectSystem = "full";
ProtectHome = true; ProtectHome = true;
NoNewPrivileges = true; NoNewPrivileges = true;
PrivateDevices = true;
ProtectClock = true;
CapabilityBoundingSet = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
SystemCallArchitectures = "native";
ProtectKernelModules = true;
RestrictNamespaces = true;
MemoryDenyWriteExecute = true;
ProtectHostname = true;
LockPersonality = true;
ProtectKernelTunables = true;
RestrictAddressFamilies = "AF_INET AF_INET6";
RestrictRealtime = true;
ProtectProc = "noaccess";
PrivateUsers = true;
SystemCallFilter = ["@system-service" "~@resources" "~@privileged"];
IPAddressDeny = "localhost link-local multicast";
}; };
}; };
}; };