Mirrors/home-manager
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

flameshot: add some service sandboxing

Browse source
This commit is contained in:
Robert Helgesson 2021-08-14 15:13:31 +02:00
parent 654d82f888
commit 72f3bc6fa4
No known key found for this signature in database
GPG key ID: 36BDAA14C2797E89
1 changed files with 9 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
modules/services/flameshot.nix
View file

@ -34,6 +34,15 @@ in {
Environment = "PATH=${config.home.profileDirectory}/bin"; Environment = "PATH=${config.home.profileDirectory}/bin";
ExecStart = "${package}/bin/flameshot"; ExecStart = "${package}/bin/flameshot";
Restart = "on-abort"; Restart = "on-abort";
# Sandboxing.
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateUsers = true;
RestrictNamespaces = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
}; };
}; };
}; };