nixos/gerrit: Apply initial hardening using the systemd unit

These options are a good start for sandboxing the service. It's planned to set `ProtectSystem` to `strict` instead of `full`, but that requires specific directories to be configured as writable. It's also planned to filter system calls. However, that requires more testing but it shouldn't prevent us from applying these options for now and add others later. Signed-off-by: Felix Singer <felixsinger@posteo.net>
2025-02-01 17:53:14 +00:00 · 2024-10-10 07:12:28 +02:00 · 2024-10-10 07:12:28 +02:00 · 3d30811d4e
commit 3d30811d4e
parent 6b955bdbb9
1 changed files with 21 additions and 0 deletions
--- a/nixos/modules/services/web-apps/gerrit.nix
+++ b/nixos/modules/services/web-apps/gerrit.nix
@ -222,6 +222,27 @@ in
        StandardOutput = "journal";
        StateDirectory = "gerrit";
        WorkingDirectory = "%S/gerrit";
+        AmbientCapabilities = "";
+        CapabilityBoundingSet = "";
+        LockPersonality = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "noaccess";
+        ProtectSystem = "full";
+        RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        UMask = 027;
      };
    };
  };