Add overkill hardening to specimen systemd service step-2

Signed-off-by: Mel <einebeere@gmail.com>

1 files changed, 30 insertions, 0 deletions

diff --git a/application/module.nix b/application/module.nix
index 7ec368d..78ac546 100644
--- a/application/module.nix
+++ b/application/module.nix
@@ -66,6 +66,36 @@ in
         Type = "exec";
         Restart = "always";
         ExecStart = "${cfg.package}/bin/specimen -address ${cfg.listenAddress} -port ${toString cfg.port} -name ${cfg.namePath}";
+
+        # a gigantic amount of hardening!!
+        # realistically this much wouldn't be necessary.
+        # mostly here to show off ;3
+        # for documentation, see: https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html
+        LockPersonality = true;
+        CapabilityBoundingSet = [ "" ];
+        DeviceAllow = [ "" ];
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        ProtectClock = true;
+        ProtectProc = "invisible";
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
+        RemoveIPC = true;
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
       };
     };
   };