diff options
Diffstat (limited to 'application/module.nix')
| -rw-r--r-- | application/module.nix | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/application/module.nix b/application/module.nix index 7ec368d..78ac546 100644 --- a/application/module.nix +++ b/application/module.nix @@ -66,6 +66,36 @@ in Type = "exec"; Restart = "always"; ExecStart = "${cfg.package}/bin/specimen -address ${cfg.listenAddress} -port ${toString cfg.port} -name ${cfg.namePath}"; + + # a gigantic amount of hardening!! + # realistically this much wouldn't be necessary. + # mostly here to show off ;3 + # for documentation, see: https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html + LockPersonality = true; + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "" ]; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + ProtectClock = true; + ProtectProc = "invisible"; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; }; }; }; |