nixos/envoy: further service hardening

author: Vincent Haupert <vincent@yaxi.tech> 2023-02-09 09:54:48 +0100
committer: pennae <82953136+pennae@users.noreply.github.com> 2023-02-11 18:21:21 +0100
commit: 3c3da8768be059beae12c87173146666c81c55ca (patch)
tree: f1f33ca89d3c8a6fa1fee7741e52242bd3fe3270 /nixos
parent: a36fc1d72afcb5cba99c516432a1a26240aa0be8 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/nixos/modules/services/networking/envoy.nix b/nixos/modules/services/networking/envoy.nix
index f41eaa62425e2..7552234f1ee09 100644
--- a/nixos/modules/services/networking/envoy.nix
+++ b/nixos/modules/services/networking/envoy.nix
@@ -60,10 +60,14 @@ in
         # Hardening
         AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
         CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
+        DeviceAllow = [ "" ];
+        DevicePolicy = "closed";
         DynamicUser = true;
         LockPersonality = true;
+        MemoryDenyWriteExecute = false; # at least wasmr needs WX permission
         PrivateDevices = true;
         PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE
+        ProcSubset = "pid";
         ProtectClock = true;
         ProtectControlGroups = true;
         ProtectHome = true;
@@ -77,7 +81,8 @@ in
         RestrictNamespaces = true;
         RestrictRealtime = true;
         SystemCallArchitectures = "native";
-        SystemCallFilter = [ "~@clock" "~@module" "~@mount" "~@reboot" "~@swap" "~@obsolete" "~@cpu-emulation" ];
+        SystemCallErrorNumber = "EPERM";
+        SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
         UMask = "0066";
       };
     };
author	Vincent Haupert <vincent@yaxi.tech>	2023-02-09 09:54:48 +0100
committer	pennae <82953136+pennae@users.noreply.github.com>	2023-02-11 18:21:21 +0100
commit	3c3da8768be059beae12c87173146666c81c55ca (patch)
tree	f1f33ca89d3c8a6fa1fee7741e52242bd3fe3270 /nixos
parent	a36fc1d72afcb5cba99c516432a1a26240aa0be8 (diff)