nixos-containers: Set DevicePolicy=closed

This makes the container a bit more secure, by preventing root creating device nodes to access the host file system, for instance. (Reference: systemd-nspawn@.service in systemd.)
2016-07-28 17:39:14 +02:00 · 2016-07-28 17:39:14 +02:00 · fd5bbdb436
commit fd5bbdb436
parent bf3edfbb3c
1 changed files with 2 additions and 0 deletions
--- a/nixos/modules/virtualisation/containers.nix
+++ b/nixos/modules/virtualisation/containers.nix
@ -415,6 +415,8 @@ in
        # after the timeout). So send an ignored signal.
        KillMode = "mixed";
        KillSignal = "WINCH";
+
+        DevicePolicy = "closed";
      };
    };
  in {