nyancat/flake
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

nixos/clash: apply hardening

Browse source
This commit is contained in:
Guanran Wang 2023-12-25 14:13:46 +08:00
parent e27bfc9672
commit 738c806307
Signed by: nyancat
SSH key fingerprint: SHA256:8oWGKciPALWut/6WA27oFKofX+6Wtc0gQnsefXLQx/8
1 changed files with 24 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
nixos/modules/services/clash.nix
View file

@ -61,6 +61,30 @@ in {
# https://man.archlinux.org/man/core/man-pages/capabilities.7.en
CapabilityBoundingSet = ["CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" "CAP_NET_RAW"];
AmbientCapabilities = ["CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" "CAP_NET_RAW"];
# Hardening, experimental since I have no idea what am I doing
NoNewPrivileges = true;
MemoryDenyWriteExecute = true;
LockPersonality = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
ProtectSystem = "strict";
ProtectProc = "noaccess";
ProtectHome = true;
ProtectClock = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectHostname = true;
ProtectKernelTunables = true;
PrivateDevices = true;
#PrivateNetwork = true;
PrivateTmp = true;
PrivateUsers = true;
PrivateMounts = true;
};
};
};