BoomMicrophone/nixpkgs-suyu
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

nixos/gitea: update sandboxing options

Browse source
This commit is contained in:
Izorkin 2020-07-31 15:53:48 +03:00
parent 6a0fd33b4c
commit dfd32f11f3
1 changed files with 21 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
nixos/modules/services/misc/gitea.nix
View file

@ -467,27 +467,34 @@ in
# Runtime directory and mode # Runtime directory and mode
RuntimeDirectory = "gitea"; RuntimeDirectory = "gitea";
RuntimeDirectoryMode = "0755"; RuntimeDirectoryMode = "0755";
# Access write directories
# Filesystem
ProtectHome = true;
PrivateDevices = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
ReadWritePaths = [ cfg.dump.backupDir cfg.repositoryRoot cfg.stateDir ]; ReadWritePaths = [ cfg.dump.backupDir cfg.repositoryRoot cfg.stateDir ];
UMask = "0027"; UMask = "0027";
# Caps # Capabilities
CapabilityBoundingSet = ""; CapabilityBoundingSet = "";
# Security
NoNewPrivileges = true; NoNewPrivileges = true;
# Misc. # Sandboxing
LockPersonality = true; ProtectSystem = "strict";
RestrictRealtime = true; ProtectHome = true;
PrivateMounts = true; PrivateTmp = true;
PrivateDevices = true;
PrivateUsers = true; PrivateUsers = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
LockPersonality = true;
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @setuid @swap"; RestrictRealtime = true;
RestrictSUIDSGID = true;
PrivateMounts = true;
# System Call Filtering
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @setuid @swap";
}; };
environment = { environment = {