nixos/clash: apply more hardening options

This commit is contained in:
Guanran Wang 2024-01-03 19:21:55 +08:00
parent d690d256e1
commit 978d71fed2
Signed by: nyancat
SSH key fingerprint: SHA256:8oWGKciPALWut/6WA27oFKofX+6Wtc0gQnsefXLQx/8

View file

@ -59,31 +59,32 @@ in {
LoadCredential = "configuration:${cfg.configFile}"; LoadCredential = "configuration:${cfg.configFile}";
### Hardening ### Hardening
# Experimental, since I have no idea what am I doing... CapabilityBoundingSet = "";
CapabilityBoundingSet = ["CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" "CAP_NET_RAW"]; DeviceAllow = "";
AmbientCapabilities = ["CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" "CAP_NET_RAW"];
NoNewPrivileges = true;
MemoryDenyWriteExecute = true;
LockPersonality = true; LockPersonality = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true; NoNewPrivileges = true;
RestrictSUIDSGID = true;
ProtectSystem = "strict";
ProtectProc = "noaccess";
ProtectHome = true;
ProtectClock = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
ProtectKernelModules = true;
ProtectHostname = true;
ProtectKernelTunables = true;
PrivateDevices = true; PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true; PrivateTmp = true;
PrivateUsers = true; PrivateUsers = true;
PrivateMounts = true; ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictNamespaces = true;
RestrictAddressFamilies = "AF_INET AF_INET6";
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service bpf";
UMask = "0077";
}; };
}; };
}; };