diff options
author | lewo <lewo@abesis.fr> | 2020-09-05 08:46:19 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-09-05 08:46:19 +0200 |
commit | d65002aff596adc363b10f1390bf206f4fc62a2a (patch) | |
tree | f65760e867edd90372896f83cdd68654e44d04d8 /nixos | |
parent | f87374dc693e0a13cf71c98d635bc14f3ecda601 (diff) | |
parent | c46dd4e2215134f055b0876b88a773aca8d357f0 (diff) |
Merge pull request #93314 from tnias/nixos_opendkim_20200717
nixos/opendkim: systemd sandbox
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2009.xml | 6 | ||||
-rw-r--r-- | nixos/modules/services/mail/opendkim.nix | 30 |
2 files changed, 36 insertions, 0 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml index 0a76bffd5c98d..7d11d422e3025 100644 --- a/nixos/doc/manual/release-notes/rl-2009.xml +++ b/nixos/doc/manual/release-notes/rl-2009.xml @@ -1059,6 +1059,12 @@ services.transmission.settings.rpc-bind-address = "0.0.0.0"; removed, as it depends on libraries from deepin. </para> </listitem> + <listitem> + <para> + The <literal>opendkim</literal> module now uses systemd sandboxing features + to limit the exposure of the system towards the opendkim service. + </para> + </listitem> </itemizedlist> </section> </section> diff --git a/nixos/modules/services/mail/opendkim.nix b/nixos/modules/services/mail/opendkim.nix index eb6a426684d42..9bf6f338d93ed 100644 --- a/nixos/modules/services/mail/opendkim.nix +++ b/nixos/modules/services/mail/opendkim.nix @@ -129,6 +129,36 @@ in { User = cfg.user; Group = cfg.group; RuntimeDirectory = optional (cfg.socket == defaultSock) "opendkim"; + StateDirectory = "opendkim"; + StateDirectoryMode = "0700"; + ReadWritePaths = [ cfg.keyPath ]; + + AmbientCapabilities = []; + CapabilityBoundingSet = []; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6 AF_UNIX" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" "~@privileged @resources" ]; + UMask = "0077"; }; }; |