harden some services

This commit is contained in:
Christoph Cullmann 2025-03-30 17:47:45 +02:00
parent 4dfee5afcc
commit 18b4351fa4
No known key found for this signature in database

View file

@ -84,6 +84,37 @@ in
"tipc"
];
# harden some services
systemd.services.systemd-rfkill = {
serviceConfig = {
ProtectSystem = "strict";
ProtectHome = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
ProtectClock = true;
ProtectProc = "invisible";
ProcSubset = "pid";
PrivateTmp = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
LockPersonality = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
UMask = "0077";
IPAddressDeny = "any";
};
};
systemd.services.systemd-journald = {
serviceConfig = {
UMask = 0077;
PrivateNetwork = true;
ProtectHostname = true;
ProtectKernelModules = true;
};
};
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;