From 738c80630738e2ded2672357d558938f59197d9f Mon Sep 17 00:00:00 2001
From: Guanran Wang <guanran928@outlook.com>
Date: Mon, 25 Dec 2023 14:13:46 +0800
Subject: [PATCH] nixos/clash: apply hardening

---
 nixos/modules/services/clash.nix | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/nixos/modules/services/clash.nix b/nixos/modules/services/clash.nix
index 94669af..9278761 100644
--- a/nixos/modules/services/clash.nix
+++ b/nixos/modules/services/clash.nix
@@ -61,6 +61,30 @@ in {
         # https://man.archlinux.org/man/core/man-pages/capabilities.7.en
         CapabilityBoundingSet = ["CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" "CAP_NET_RAW"];
         AmbientCapabilities = ["CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" "CAP_NET_RAW"];
+
+        # Hardening, experimental since I have no idea what am I doing
+        NoNewPrivileges = true;
+        MemoryDenyWriteExecute = true;
+        LockPersonality = true;
+
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+
+        ProtectSystem = "strict";
+        ProtectProc = "noaccess";
+        ProtectHome = true;
+        ProtectClock = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        ProtectKernelModules = true;
+        ProtectHostname = true;
+        ProtectKernelTunables = true;
+
+        PrivateDevices = true;
+        #PrivateNetwork = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        PrivateMounts = true;
       };
     };
   };