Merge pull request #255227 from tomfitzhenry/postfix-harden

nixos/postfix: add systemd hardening directives
author: Nick Cao <nickcao@nichi.co> 2023-12-23 10:36:18 -0500
committer: GitHub <noreply@github.com> 2023-12-23 10:36:18 -0500
commit: a83ee8f51493e1d6d0310e48a0fbbb1d68fd7a39 (patch)
tree: c2e6380b178939d89a949f350e60d31de0643a12 /nixos
parent: a81009a7ddf51923a697294e29163d78016e32e6 (diff)
parent: dd1b3b077af7250742b710d53f983e271bff0b5b (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix
index 23c47aaca7e23..e8b5f832e66eb 100644
--- a/nixos/modules/services/mail/postfix.nix
+++ b/nixos/modules/services/mail/postfix.nix
@@ -779,6 +779,19 @@ in
             ExecStart = "${pkgs.postfix}/bin/postfix start";
             ExecStop = "${pkgs.postfix}/bin/postfix stop";
             ExecReload = "${pkgs.postfix}/bin/postfix reload";
+
+            # Hardening
+            PrivateTmp = true;
+            PrivateDevices = true;
+            ProtectSystem = "full";
+            CapabilityBoundingSet = [ "~CAP_NET_ADMIN CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_MODULE" ];
+            MemoryDenyWriteExecute = true;
+            ProtectKernelModules = true;
+            ProtectKernelTunables = true;
+            ProtectControlGroups = true;
+            RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_NETLINK" "AF_UNIX" ];
+            RestrictNamespaces = true;
+            RestrictRealtime = true;
           };
         };
author	Nick Cao <nickcao@nichi.co>	2023-12-23 10:36:18 -0500
committer	GitHub <noreply@github.com>	2023-12-23 10:36:18 -0500
commit	a83ee8f51493e1d6d0310e48a0fbbb1d68fd7a39 (patch)
tree	c2e6380b178939d89a949f350e60d31de0643a12 /nixos
parent	a81009a7ddf51923a697294e29163d78016e32e6 (diff)
parent	dd1b3b077af7250742b710d53f983e271bff0b5b (diff)