espanso: add sandboxing for systemd service

2025-02-18 14:15:08 +01:00 · 2024-10-18 22:20:18 +02:00 · 2024-10-18 22:20:18 +02:00 · 0678a95352
commit 0678a95352
parent 2b13611eae
2 changed files with 16 additions and 0 deletions
--- a/modules/services/espanso.nix
+++ b/modules/services/espanso.nix
@ -124,6 +124,15 @@ in {
        Type = "exec";
        ExecStart = "${cfg.package}/bin/espanso daemon";
        Restart = "on-failure";
        # Sandboxing.
        LockPersonality = true;
        MemoryDenyWriteExecute = true;
        NoNewPrivileges = true;
        PrivateUsers = true;
        RestrictNamespaces = true;
        SystemCallArchitectures = "native";
        SystemCallFilter = "@system-service";
      };
      Install = { WantedBy = [ "default.target" ]; };
    };
--- a/tests/modules/services/espanso/basic-configuration.service
+++ b/tests/modules/services/espanso/basic-configuration.service
@ -3,7 +3,14 @@ WantedBy=default.target
 [Service]
 ExecStart=@espanso@/bin/espanso daemon
 LockPersonality=true
 MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateUsers=true
 Restart=on-failure
 RestrictNamespaces=true
 SystemCallArchitectures=native
 SystemCallFilter=@system-service
 Type=exec
 [Unit]