diff --git a/nixos/modules/services/hardware/upower.nix b/nixos/modules/services/hardware/upower.nix index 2198842a4511..1da47349c077 100644 --- a/nixos/modules/services/hardware/upower.nix +++ b/nixos/modules/services/hardware/upower.nix @@ -56,6 +56,32 @@ in { Type = "dbus"; BusName = "org.freedesktop.UPower"; ExecStart = "@${cfg.package}/libexec/upowerd upowerd"; + Restart = "on-failure"; + # Upstream lockdown: + # Filesystem lockdown + ProtectSystem = "strict"; + # Needed by keyboard backlight support + ProtectKernelTunables = false; + ProtectControlGroups = true; + ReadWritePaths = "/var/lib/upower"; + ProtectHome = true; + PrivateTmp = true; + + # Network + # PrivateNetwork=true would block udev's netlink socket + RestrictAddressFamilies = "AF_UNIX AF_NETLINK"; + + # Execute Mappings + MemoryDenyWriteExecute = true; + + # Modules + ProtectKernelModules = true; + + # Real-time + RestrictRealtime = true; + + # Privilege escalation + NoNewPrivileges = true; }; }; diff --git a/pkgs/os-specific/linux/upower/default.nix b/pkgs/os-specific/linux/upower/default.nix index 629f61bf5b16..6c6e411000ac 100644 --- a/pkgs/os-specific/linux/upower/default.nix +++ b/pkgs/os-specific/linux/upower/default.nix @@ -4,11 +4,11 @@ }: stdenv.mkDerivation rec { - name = "upower-0.99.7"; + name = "upower-0.99.9"; src = fetchurl { - url = "https://upower.freedesktop.org/releases/${name}.tar.xz"; - sha256 = "00d4830yvg84brdhz4kn60lr3r8rn2y8gdbhmhxm78i5mgvc5g14"; + url = https://gitlab.freedesktop.org/upower/upower/uploads/2282c7c0e53fb31816b824c9d1f547e8/upower-0.99.9.tar.xz; + sha256 = "046ix7j7hmb7ycv8v54668kjsrgjhzwxn299c1d87vdnkd38kfh1"; }; buildInputs =