23 lines
592 B
Nix
23 lines
592 B
Nix
{ ... }:
|
|
{
|
|
config.dendritic.features.security-systemd-udevd = {
|
|
nixosModules = [
|
|
(
|
|
{ ... }:
|
|
{
|
|
systemd.services.systemd-udevd.serviceConfig = {
|
|
NoNewPrivileges = true;
|
|
ProtectSystem = "strict";
|
|
ProtectHome = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectControlGroups = true;
|
|
ProtectClock = true;
|
|
ProtectProc = "invisible";
|
|
RestrictNamespaces = true;
|
|
CapabilityBoundingSet = "~CAP_SYS_PTRACE ~CAP_SYS_PACCT";
|
|
};
|
|
}
|
|
)
|
|
];
|
|
};
|
|
}
|