From 18b4351fa4283adef6ccd5295522263fc9474210 Mon Sep 17 00:00:00 2001
From: Christoph Cullmann <christoph@cullmann.io>
Date: Sun, 30 Mar 2025 17:47:45 +0200
Subject: [PATCH] harden some services

---
 share/common.nix | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/share/common.nix b/share/common.nix
index 9c5dbb4..92d0963 100644
--- a/share/common.nix
+++ b/share/common.nix
@@ -84,6 +84,37 @@ in
     "tipc"
   ];
 
+  # harden some services
+  systemd.services.systemd-rfkill = {
+    serviceConfig = {
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      ProtectClock = true;
+      ProtectProc = "invisible";
+      ProcSubset = "pid";
+      PrivateTmp = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true;
+      LockPersonality = true;
+      RestrictRealtime = true;
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+      IPAddressDeny = "any";
+    };
+  };
+
+  systemd.services.systemd-journald = {
+    serviceConfig = {
+      UMask = 0077;
+      PrivateNetwork = true;
+      ProtectHostname = true;
+      ProtectKernelModules = true;
+    };
+  };
+
   # Use the systemd-boot EFI boot loader.
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;