1
0
Fork 0
mirror of https://github.com/nix-community/home-manager synced 2024-12-24 10:49:48 +01:00

syncthing: add more service sandboxing

This commit is contained in:
Robert Helgesson 2021-08-14 13:25:54 +02:00
parent a965b097b1
commit 654d82f888
No known key found for this signature in database
GPG key ID: 36BDAA14C2797E89

View file

@ -61,8 +61,15 @@ with lib;
Restart = "on-failure"; Restart = "on-failure";
SuccessExitStatus = [ 3 4 ]; SuccessExitStatus = [ 3 4 ];
RestartForceExitStatus = [ 3 4 ]; RestartForceExitStatus = [ 3 4 ];
# Sandboxing.
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true; NoNewPrivileges = true;
PrivateUsers = true; PrivateUsers = true;
RestrictNamespaces = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
}; };
Install = { WantedBy = [ "default.target" ]; }; Install = { WantedBy = [ "default.target" ]; };