44 lines
1.2 KiB
Nix
44 lines
1.2 KiB
Nix
{ ... }:
|
|
{
|
|
config.dendritic.features.security-systemd-rtkit = {
|
|
nixosModules = [
|
|
(
|
|
{ lib, ... }:
|
|
{
|
|
systemd.services.rtkit-daemon.serviceConfig = {
|
|
NoNewPrivileges = true;
|
|
ProtectSystem = "strict";
|
|
ProtectHome = true;
|
|
ProtectClock = true;
|
|
ProtectHostname = true;
|
|
ProtectKernelTunables = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectControlGroups = lib.mkDefault true;
|
|
PrivateTmp = lib.mkDefault true;
|
|
PrivateMounts = true;
|
|
PrivateDevices = true;
|
|
RestrictNamespaces = true;
|
|
RestrictSUIDSGID = true;
|
|
RestrictAddressFamilies = [
|
|
"~AF_INET6"
|
|
"~AF_INET"
|
|
"~AF_PACKET"
|
|
];
|
|
MemoryDenyWriteExecute = true;
|
|
DevicePolicy = "closed";
|
|
LockPersonality = true;
|
|
SystemCallFilter = [
|
|
"~@keyring"
|
|
"~@swap"
|
|
"~@clock"
|
|
"~@module"
|
|
"~@obsolete"
|
|
"~@cpu-emulation"
|
|
];
|
|
};
|
|
}
|
|
)
|
|
];
|
|
};
|
|
}
|