From d21158e2345543411adac971e1ba9f560d9d8909 Mon Sep 17 00:00:00 2001 From: Noratrieb <48135649+Noratrieb@users.noreply.github.com> Date: Mon, 18 Aug 2025 21:54:20 +0200 Subject: [PATCH] harden --- nix/apps/widetom/default.nix | 15 +++++++++++++++ nix/modules/default/default.nix | 16 ++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/nix/apps/widetom/default.nix b/nix/apps/widetom/default.nix index 2ff0598..d9fcc07 100644 --- a/nix/apps/widetom/default.nix +++ b/nix/apps/widetom/default.nix @@ -32,6 +32,21 @@ in serviceConfig = { DynamicUser = true; ExecStart = lib.getExe widetom; + PrivateDevices = true; + ProtectHome = true; + ProtectClock = true; + ProtectKernelLogs = true; + ProtectHostname = true; + ProtectKernelTunables = true; + CapabilityBoundingSet = ""; + ProtectProc = "noaccess"; + RestrictNamespaces = true; + MemoryDenyWriteExecute = true; + ProtectControlGroups = true; + ProtectKernelModules = true; + SystemCallArchitectures = ""; + SystemCallFilter = "@system-service"; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; }; }; diff --git a/nix/modules/default/default.nix b/nix/modules/default/default.nix index 4138af9..b14b5ab 100644 --- a/nix/modules/default/default.nix +++ b/nix/modules/default/default.nix @@ -188,6 +188,22 @@ in }; systemd.services.alloy.serviceConfig = { DynamicUser = lib.mkForce false; + PrivateDevices = true; + ProtectClock = true; + ProtectKernelLogs = true; + PrivateMounts = true; + ProtectControlGroups = true; + ProtectHostname = true; + LockPersonality = true; + ProtectKernelTunables = true; + ProtectSystem = true; + ProtectHome = true; + PrivateTmp = true; + NoNewPrivileges = true; + RestrictNamespaces = ""; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ]; + # TODO: find what's required for /proc/kallsyms (it should be CAP_SYSLOG!) + # CapabilityBoundingSet = "CAP_SYS_PTRACE CAP_BPF CAP_SYSLOG"; }; environment.etc."alloy/config.alloy".text = '' discovery.process "all" {