Skip to content

Commit fb97448

Browse files
nixos/go2rtc: harden systemd service
To follow the principle of least privilege, let's remove privileges it does not require by configuring systemd service settings. See #377827
1 parent 2f686e0 commit fb97448

File tree

1 file changed

+31
-2
lines changed

1 file changed

+31
-2
lines changed

nixos/modules/services/video/go2rtc/default.nix

Lines changed: 31 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,6 @@
55
pkgs,
66
...
77
}:
8-
98
let
109
inherit (lib)
1110
literalExpression
@@ -21,7 +20,6 @@ let
2120
format = pkgs.formats.yaml { };
2221
configFile = format.generate "go2rtc.yaml" cfg.settings;
2322
in
24-
2523
{
2624
meta.buildDocsInSandbox = false;
2725

@@ -110,6 +108,37 @@ in
110108
];
111109
StateDirectory = "go2rtc";
112110
ExecStart = "${cfg.package}/bin/go2rtc -config ${configFile}";
111+
RemoveIPC = true;
112+
RestrictNamespaces = true;
113+
RestrictRealtime = true;
114+
RestrictSUIDSGID = true;
115+
RestrictAddressFamilies = [
116+
"AF_INET"
117+
"AF_INET6"
118+
"AF_NETLINK"
119+
"AF_UNIX"
120+
];
121+
SystemCallFilter = [
122+
"@system-service"
123+
"~@privileged"
124+
];
125+
SystemCallArchitectures = "native";
126+
CapabilityBoundingSet = "";
127+
LockPersonality = true;
128+
NoNewPrivileges = true;
129+
PrivateTmp = true;
130+
PrivateMounts = true;
131+
ProtectClock = true;
132+
ProtectControlGroups = true;
133+
ProtectHome = true;
134+
ProtectHostname = true;
135+
ProtectKernelLogs = true;
136+
ProtectKernelModules = true;
137+
ProtectKernelTunables = true;
138+
ProtectProc = "invisible";
139+
ProcSubset = "pid";
140+
ProtectSystem = "strict";
141+
UMask = "0077";
113142
};
114143
};
115144
};

0 commit comments

Comments
 (0)