diff options
author | Martin Weinelt <hexa@darmstadt.ccc.de> | 2021-04-24 17:22:54 +0200 |
---|---|---|
committer | Martin Weinelt <hexa@darmstadt.ccc.de> | 2021-05-01 19:46:48 +0200 |
commit | 33e867620eb1e27d44a35fb57944ce8a5bccfdab (patch) | |
tree | 0cfd2434f57e355521b35b91b1623b2a9c634994 /nixos/tests/mosquitto.nix | |
parent | 6aec5a24a4ba03f6c499b48ea7c71111db629e7b (diff) |
nixos/mosquitto: harden systemd unit
It can still network, it can only access the ssl related files if ssl is enabled. ✗ PrivateNetwork= Service has access to the host's network 0.5 ✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3 ✗ DeviceAllow= Service has a device ACL with some special devices 0.1 ✗ IPAddressDeny= Service does not define an IP address allow list 0.2 ✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1 ✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1 → Overall exposure level for mosquitto.service: 1.1 OK 🙂
Diffstat (limited to 'nixos/tests/mosquitto.nix')
-rw-r--r-- | nixos/tests/mosquitto.nix | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/nixos/tests/mosquitto.nix b/nixos/tests/mosquitto.nix index 308c1396013d6..e29bd559ed9bb 100644 --- a/nixos/tests/mosquitto.nix +++ b/nixos/tests/mosquitto.nix @@ -1,4 +1,4 @@ -import ./make-test-python.nix ({ pkgs, ... }: +import ./make-test-python.nix ({ pkgs, lib, ... }: let port = 1888; @@ -30,6 +30,9 @@ in { ]; }; }; + + # disable private /tmp for this test + systemd.services.mosquitto.serviceConfig.PrivateTmp = lib.mkForce false; }; client1 = client; |