networkmanager: tighten ProtectSystem
to "strict"
This commit is contained in:
parent
09333c992c
commit
a1e923f999
|
@ -78,7 +78,7 @@ in {
|
|||
serviceConfig.ProtectKernelLogs = true; # disable /proc/kmsg, /dev/kmsg
|
||||
serviceConfig.ProtectKernelModules = true; # syscall filter to prevent module calls (probably not upstreamable: NM will want to load modules like `ppp`)
|
||||
serviceConfig.ProtectKernelTunables = true; # but NM might need to write /proc/sys/net/...
|
||||
serviceConfig.ProtectSystem = "full"; # makes read-only: /boot, /etc/, /usr. TODO: "strict" would make all but /dev, /proc, /sys inaccessible.
|
||||
serviceConfig.ProtectSystem = "strict"; # makes read-only: all but /dev, /proc, /sys.
|
||||
serviceConfig.RestrictAddressFamilies = [
|
||||
"AF_INET"
|
||||
"AF_INET6"
|
||||
|
@ -88,19 +88,17 @@ in {
|
|||
# AF_ALG ?
|
||||
# AF_BLUETOOTH ?
|
||||
# AF_BRIDGE ?
|
||||
# AF_NETLINK ?
|
||||
# AF_PACKET ?
|
||||
];
|
||||
serviceConfig.RestrictSUIDSGID = true;
|
||||
serviceConfig.SystemCallArchitectures = "native"; # prevents e.g. aarch64 syscalls in the event that the kernel is multi-architecture.
|
||||
# TODO: it needs these directories:
|
||||
# from earlier `landlock` sandboxing, i know it needs these directories:
|
||||
# - "/proc/net"
|
||||
# - "/proc/sys/net"
|
||||
# - "/run/NetworkManager"
|
||||
# - "/run/systemd" # for trust-dns-nmhook
|
||||
# - "/run/udev"
|
||||
# - # "/run/wg-home.priv"
|
||||
# - "/sys/class" #< TODO: specify this more precisely
|
||||
# - "/sys/class"
|
||||
# - "/sys/devices"
|
||||
# - "/var/lib/NetworkManager"
|
||||
# - "/var/lib/trust-dns" #< for trust-dns-nmhook
|
||||
|
|
Loading…
Reference in New Issue
Block a user