service hardening: add more restrictions

Add RestrictSUIDSGID Add RemoveIPC Add RestrictRealtime Add ProtectHostname
fort-nix · May 24, 2020 · ccc3a70 · ccc3a70
1 parent 3fbfa98
commit ccc3a70
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/modules/nix-bitcoin-services.nix b/modules/nix-bitcoin-services.nix
@@ -21,6 +21,10 @@ with lib;
       LockPersonality = "true";
       IPAddressDeny = "any";
       PrivateUsers = "true";
+      RestrictSUIDSGID = "true";
+      RemoveIPC = "true";
+      RestrictRealtime = "true";
+      ProtectHostname = "true";
       CapabilityBoundingSet = "";
       # @system-service whitelist and docker seccomp blacklist (except for "clone"
       # which is a core requirement for systemd services)