Merge pull request #108238 from snicket2100/more-dnscrypt-proxy-hardening

nixos/dnscrypt-proxy2: more service hardening
2025-02-20 11:05:14 +00:00 · 2021-02-08 19:22:44 +00:00 · 2021-02-08 19:22:44 +00:00 · 2630a2df91
commit 2630a2df91
parent 4239d3450c 2bab1a76c6
1 changed files with 7 additions and 1 deletions
--- a/nixos/modules/services/networking/dnscrypt-proxy2.nix
+++ b/nixos/modules/services/networking/dnscrypt-proxy2.nix
@ -87,6 +87,7 @@ in
        NoNewPrivileges = true;
        NonBlocking = true;
        PrivateDevices = true;
+        ProtectClock = true;
        ProtectControlGroups = true;
        ProtectHome = true;
        ProtectHostname = true;
@ -107,8 +108,13 @@ in
        SystemCallFilter = [
          "@system-service"
          "@chown"
+          "~@aio"
+          "~@keyring"
+          "~@memlock"
          "~@resources"
-          "@privileged"
+          "~@setuid"
+          "~@sync"
+          "~@timer"
        ];
      };
    };