|
|
@ -85,6 +85,7 @@ in |
|
|
|
AmbientCapabilities = mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ]; |
|
|
|
AmbientCapabilities = mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ]; |
|
|
|
CapabilityBoundingSet = mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ]; |
|
|
|
CapabilityBoundingSet = mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ]; |
|
|
|
PrivateUsers = cfg.port >= 1024; |
|
|
|
PrivateUsers = cfg.port >= 1024; |
|
|
|
|
|
|
|
DynamicUser = true; |
|
|
|
LockPersonality = true; |
|
|
|
LockPersonality = true; |
|
|
|
MemoryDenyWriteExecute = true; |
|
|
|
MemoryDenyWriteExecute = true; |
|
|
|
PrivateDevices = true; |
|
|
|
PrivateDevices = true; |
|
|
@ -95,7 +96,9 @@ in |
|
|
|
ProtectKernelLogs = true; |
|
|
|
ProtectKernelLogs = true; |
|
|
|
ProtectKernelModules = true; |
|
|
|
ProtectKernelModules = true; |
|
|
|
ProtectKernelTunables = true; |
|
|
|
ProtectKernelTunables = true; |
|
|
|
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; |
|
|
|
ProtectProc = "invisible"; |
|
|
|
|
|
|
|
# AF_UNIX is for ssh-keygen, which relies on nscd to resolve the uid to a user |
|
|
|
|
|
|
|
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; |
|
|
|
RestrictNamespaces = true; |
|
|
|
RestrictNamespaces = true; |
|
|
|
RestrictRealtime = true; |
|
|
|
RestrictRealtime = true; |
|
|
|
SystemCallArchitectures = "native"; |
|
|
|
SystemCallArchitectures = "native"; |
|
|
|