diff options
| author | Sandro <sandro.jaeckel@gmail.com> | 2020-11-27 18:53:36 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-11-27 18:53:36 +0100 |
| commit | a390213f8557a734fd3a18d38edf43c3c436ac05 (patch) | |
| tree | be56002c59a66da3ab839bc653807a63091bab83 /nixos/modules | |
| parent | eb7d36720048f6df6f830ab61f143f823b43e073 (diff) | |
| parent | 2b0ee787dd38414101d4b76b5a1818c9a21c57cd (diff) | |
Merge pull request #85133 from snicket2100/mosquitto-service-sandboxing
mosquitto: systemd service sandboxing
Diffstat (limited to 'nixos/modules')
| -rw-r--r-- | nixos/modules/services/networking/mosquitto.nix | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/mosquitto.nix b/nixos/modules/services/networking/mosquitto.nix index 4a85b3956daeb..10b49d9b2206e 100644 --- a/nixos/modules/services/networking/mosquitto.nix +++ b/nixos/modules/services/networking/mosquitto.nix @@ -232,6 +232,16 @@ in Restart = "on-failure"; ExecStart = "${pkgs.mosquitto}/bin/mosquitto -c ${mosquittoConf}"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + + ProtectSystem = "strict"; + ProtectHome = true; + PrivateDevices = true; + PrivateTmp = true; + ReadWritePaths = "${cfg.dataDir}"; + ProtectControlGroups = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + NoNewPrivileges = true; }; preStart = '' rm -f ${cfg.dataDir}/passwd |