nixos/cjdns: tightened permissions via systemd, added caps

author: Sophie Taylor <sophie@traumapony.org> 2016-11-05 01:22:17 +1000
committer: Emery Hemingway <emery@vfemail.net> 2016-11-04 17:00:23 +0100
commit: 20e81f7c0d56e0b179115ca72a85b81ff637d909 (patch)
tree: cac5b17fd0f6c4ecf68ff1f6f3570c8506234bd9 /nixos/modules/services/networking/cjdns.nix
parent: ffa3f868c94f2816b0f006fb407c1370df03a02b (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/nixos/modules/services/networking/cjdns.nix b/nixos/modules/services/networking/cjdns.nix
index b293cba737a1..7e981183353d 100644
--- a/nixos/modules/services/networking/cjdns.nix
+++ b/nixos/modules/services/networking/cjdns.nix
@@ -245,7 +245,10 @@ in
       serviceConfig = {
         Type = "forking";
         Restart = "on-failure";
-
+        CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW";
+        AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_RAW";
+        ProtectSystem = "full";
+        MemoryDenyWriteExecute = true;
         ProtectHome = true;
         PrivateTmp = true;
       };
author	Sophie Taylor <sophie@traumapony.org>	2016-11-05 01:22:17 +1000
committer	Emery Hemingway <emery@vfemail.net>	2016-11-04 17:00:23 +0100
commit	20e81f7c0d56e0b179115ca72a85b81ff637d909 (patch)
tree	cac5b17fd0f6c4ecf68ff1f6f3570c8506234bd9 /nixos/modules/services/networking/cjdns.nix
parent	ffa3f868c94f2816b0f006fb407c1370df03a02b (diff)