Mirrors/home-manager
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

syncthing: add more service sandboxing

Browse source
This commit is contained in:
Robert Helgesson 2021-08-14 13:25:54 +02:00
parent a965b097b1
commit 654d82f888
No known key found for this signature in database
GPG key ID: 36BDAA14C2797E89
1 changed files with 7 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
modules/services/syncthing.nix
View file

@ -61,8 +61,15 @@ with lib;
Restart = "on-failure";
SuccessExitStatus = [ 3 4 ];
RestartForceExitStatus = [ 3 4 ];
# Sandboxing.
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateUsers = true;
RestrictNamespaces = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
};
Install = { WantedBy = [ "default.target" ]; };