diff --git a/modules/services/syncthing.nix b/modules/services/syncthing.nix index c9def213d..168566156 100644 --- a/modules/services/syncthing.nix +++ b/modules/services/syncthing.nix @@ -61,8 +61,15 @@ with lib; Restart = "on-failure"; SuccessExitStatus = [ 3 4 ]; RestartForceExitStatus = [ 3 4 ]; + + # Sandboxing. + LockPersonality = true; + MemoryDenyWriteExecute = true; NoNewPrivileges = true; PrivateUsers = true; + RestrictNamespaces = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; }; Install = { WantedBy = [ "default.target" ]; };