NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
18.02k stars 14.03k forks source link

Harden and update to use the new features in systemd-232 #20186

Open spacekitteh opened 7 years ago

spacekitteh commented 7 years ago

Once systemd-232 is merged (#20156) and things are working, we have a bunch of tasks:

peterhoeg commented 7 years ago

This is the best practice list from the mailing list:

CapabilityBoundingSet=...
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
RestrictAddressFamilies=AF_NETLINK AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @resources
globin commented 7 years ago

systemd 232 is on staging (a38f1911d34f2a72e15d5e98d76bece6cb8042a8)

ckauhaus commented 5 years ago

We are on systemd-239 now. Is this still relevant?

peterhoeg commented 5 years ago

Very much so - we are not really making use of the various capabilities to lock things down (yet).