diff options
author | Philipp Bartsch <phil@grmr.de> | 2020-07-17 00:30:51 +0200 |
---|---|---|
committer | Philipp Bartsch <phil@grmr.de> | 2020-09-03 17:54:15 +0200 |
commit | 118f34172351a3cc30f930ed1de06a0f90a6bbb3 (patch) | |
tree | 26a6a594e4f4b6bff8a706bd7e2b6971c4dd5f55 /nixos | |
parent | c643d583498157128e5722898265ab81f76b0a6e (diff) |
nixos/opendkim: add systemd service sandbox
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/mail/opendkim.nix | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/nixos/modules/services/mail/opendkim.nix b/nixos/modules/services/mail/opendkim.nix index eb6a426684d42..f4d856944ec66 100644 --- a/nixos/modules/services/mail/opendkim.nix +++ b/nixos/modules/services/mail/opendkim.nix @@ -129,6 +129,35 @@ in { User = cfg.user; Group = cfg.group; RuntimeDirectory = optional (cfg.socket == defaultSock) "opendkim"; + StateDirectory = "opendkim"; + StateDirectoryMode = "0700"; + + AmbientCapabilities = []; + CapabilityBoundingSet = []; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6 AF_UNIX" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged @resources" ]; + UMask = "0077"; }; }; |