buffyboard: harden systemd service

modules/services/buffyboard.nix

@@ -85,7 +85,43 @@ in
       serviceConfig.ExecStart = "${lib.getExe' cfg.package "buffyboard"} ${lib.escapeShellArgs cfg.extraFlags}";
       serviceConfig.Restart = "on-failure";
       serviceConfig.RestartSec = "2s";
-      # TODO: sandboxing
+
+      # hardening
+      # serviceConfig.AmbientCapabilities = "";  #< extraneous, with CapabilityBoundingSet
+      serviceConfig.CapabilityBoundingSet = "";
+      serviceConfig.MemoryDenyWriteExecute = true;
+      serviceConfig.NoNewPrivileges = true;
+      serviceConfig.LockPersonality = true;
+      serviceConfig.RestrictSUIDSGID = true;
+      serviceConfig.PrivateMounts = true;
+      serviceConfig.PrivateTmp = true;
+      serviceConfig.PrivateUsers = true;
+      serviceConfig.ProtectClock = true;
+      serviceConfig.ProtectControlGroups = true;
+      serviceConfig.ProtectHome = true;
+      serviceConfig.ProtectKernelModules = true;
+      serviceConfig.ProtectHostname = true;
+      serviceConfig.ProtectKernelLogs = true;
+      serviceConfig.ProtectKernelTunables = true;
+      serviceConfig.RemoveIPC = true;
+      serviceConfig.ProtectSystem = "strict";
+      serviceConfig.RestrictAddressFamilies = "AF_NETLINK";  #< AF_NETLINK required to access udev
+      serviceConfig.SystemCallArchitectures = "native";
+      serviceConfig.SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
+      serviceConfig.DevicePolicy = "closed";
+      serviceConfig.DeviceAllow = [
+        "/dev/uinput rw"
+        "char-fb rw"
+        "char-input rw"
+        "char-tty rw"
+      ];
+      # PrivateDevices=true  #< breaks everything
+      # PrivateNetwork=true  #< breaks udev
+      #
+      # root user is unaffected by Proc*
+      # ProcSubset=pid
+      # ProtectProc=noaccess
+      # DynamicUser=true
     };
 
     environment.etc."buffyboard.conf".source = ini.generate "buffyboard.conf" cfg.settings;