diff options
author | Vincent Haupert <vincent@yaxi.tech> | 2023-02-09 09:54:48 +0100 |
---|---|---|
committer | pennae <82953136+pennae@users.noreply.github.com> | 2023-02-11 18:21:21 +0100 |
commit | 3c3da8768be059beae12c87173146666c81c55ca (patch) | |
tree | f1f33ca89d3c8a6fa1fee7741e52242bd3fe3270 /nixos | |
parent | a36fc1d72afcb5cba99c516432a1a26240aa0be8 (diff) |
nixos/envoy: further service hardening
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/networking/envoy.nix | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/nixos/modules/services/networking/envoy.nix b/nixos/modules/services/networking/envoy.nix index f41eaa62425e2..7552234f1ee09 100644 --- a/nixos/modules/services/networking/envoy.nix +++ b/nixos/modules/services/networking/envoy.nix @@ -60,10 +60,14 @@ in # Hardening AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; + DeviceAllow = [ "" ]; + DevicePolicy = "closed"; DynamicUser = true; LockPersonality = true; + MemoryDenyWriteExecute = false; # at least wasmr needs WX permission PrivateDevices = true; PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE + ProcSubset = "pid"; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; @@ -77,7 +81,8 @@ in RestrictNamespaces = true; RestrictRealtime = true; SystemCallArchitectures = "native"; - SystemCallFilter = [ "~@clock" "~@module" "~@mount" "~@reboot" "~@swap" "~@obsolete" "~@cpu-emulation" ]; + SystemCallErrorNumber = "EPERM"; + SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; UMask = "0066"; }; }; |