Merge pull request #108238 from snicket2100/more-dnscrypt-proxy-hardening

nixos/dnscrypt-proxy2: more service hardening
author: Guillaume Girol <symphorien@users.noreply.github.com> 2021-02-08 19:22:44 +0000
committer: GitHub <noreply@github.com> 2021-02-08 19:22:44 +0000
commit: 2630a2df91f23d1ac6ed4c257f86c28a422dda44 (patch)
tree: a4fe83448043dd86441af6ee6225998607820246 /nixos/modules
parent: 4239d3450c40f9c2f4ab287df2dffbe23b05656d (diff)
parent: 2bab1a76c6b0d051c3f420f792edc0d5f09d53f4 (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/nixos/modules/services/networking/dnscrypt-proxy2.nix b/nixos/modules/services/networking/dnscrypt-proxy2.nix
index ff8a2ab307746..afc2a6d1c757c 100644
--- a/nixos/modules/services/networking/dnscrypt-proxy2.nix
+++ b/nixos/modules/services/networking/dnscrypt-proxy2.nix
@@ -87,6 +87,7 @@ in
         NoNewPrivileges = true;
         NonBlocking = true;
         PrivateDevices = true;
+        ProtectClock = true;
         ProtectControlGroups = true;
         ProtectHome = true;
         ProtectHostname = true;
@@ -107,8 +108,13 @@ in
         SystemCallFilter = [
           "@system-service"
           "@chown"
+          "~@aio"
+          "~@keyring"
+          "~@memlock"
           "~@resources"
-          "@privileged"
+          "~@setuid"
+          "~@sync"
+          "~@timer"
         ];
       };
     };
author	Guillaume Girol <symphorien@users.noreply.github.com>	2021-02-08 19:22:44 +0000
committer	GitHub <noreply@github.com>	2021-02-08 19:22:44 +0000
commit	2630a2df91f23d1ac6ed4c257f86c28a422dda44 (patch)
tree	a4fe83448043dd86441af6ee6225998607820246 /nixos/modules
parent	4239d3450c40f9c2f4ab287df2dffbe23b05656d (diff)
parent	2bab1a76c6b0d051c3f420f792edc0d5f09d53f4 (diff)