Skip to content

Commit

Permalink
greetd.service hardening
Browse files Browse the repository at this point in the history
- Hardened service config for greetd
- Exposure level after hardening: 3.5

Signed-off-by: Ganga Ram <[email protected]>
  • Loading branch information
gngram committed Dec 11, 2024
1 parent 745a6df commit e05abdb
Showing 1 changed file with 91 additions and 0 deletions.
91 changes: 91 additions & 0 deletions modules/common/systemd/hardened-configs/common/greetd.nix
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
# SPDX-License-Identifier: Apache-2.0
#
{
##############
# Networking #
##############
IPAccounting = true;
IPAddressDeny = "any";
RestrictAddressFamilies = [
"~AF_PACKET"
];

###############
# File system #
###############

ProtectSystem = "full";
ProtectProc = "noaccess";
ReadWritePaths = [
"/run"
"/var/"
"/dev/"
];

PrivateMounts = true;
ProcSubset = "all";

##########
# Kernel #
##########

ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;

########
# Misc #
########

NoNewPrivileges = true;
UMask = 77;
ProtectHostname = true;
ProtectClock = true;
ProtectControlGroups = true;
RestrictNamespaces = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
NotifyAccess = false;

################
# Capabilities #
################
#AmbientCapabilities = ["CAP_SYS_ADMIN" "CAP_SYS_RESOURCE"];
CapabilityBoundingSet = [
#"CAP_SYS_ADMIN"
"CAP_IPC_LOCK"
"CAP_SYS_TTY_CONFIG"
"CAP_SETGID"
"CAP_CHOWN"
"CAP_SETUID"
"CAP_IPC_OWNER"
];

################
# System calls #
################

SystemCallFilter = [
"@setuid"
"@chown"
"@system-service"
"@file-system"
"@basic-io"
"@ipc"
"@signal"
"~@clock"
"~@cpu-emulation"
"~@debug"
"~@module"
"~@mount"
"~@obsolete"
"~@raw-io"
"~@reboot"
"~@swap"
];

}

0 comments on commit e05abdb

Please sign in to comment.