From 20e81f7c0d56e0b179115ca72a85b81ff637d909 Mon Sep 17 00:00:00 2001
From: Sophie Taylor <sophie@traumapony.org>
Date: Sat, 5 Nov 2016 01:22:17 +1000
Subject: nixos/cjdns: tightened permissions via systemd, added caps

---
 nixos/modules/services/networking/cjdns.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'nixos/modules/services/networking/cjdns.nix')

diff --git a/nixos/modules/services/networking/cjdns.nix b/nixos/modules/services/networking/cjdns.nix
index b293cba737a1..7e981183353d 100644
--- a/nixos/modules/services/networking/cjdns.nix
+++ b/nixos/modules/services/networking/cjdns.nix
@@ -245,7 +245,10 @@ in
       serviceConfig = {
         Type = "forking";
         Restart = "on-failure";
-
+        CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW";
+        AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_RAW";
+        ProtectSystem = "full";
+        MemoryDenyWriteExecute = true;
         ProtectHome = true;
         PrivateTmp = true;
       };
-- 
cgit v1.2.3