mirror of
https://github.com/nix-community/home-manager
synced 2024-12-24 10:49:48 +01:00
syncthing: add more service sandboxing
This commit is contained in:
parent
a965b097b1
commit
654d82f888
1 changed files with 7 additions and 0 deletions
|
@ -61,8 +61,15 @@ with lib;
|
||||||
Restart = "on-failure";
|
Restart = "on-failure";
|
||||||
SuccessExitStatus = [ 3 4 ];
|
SuccessExitStatus = [ 3 4 ];
|
||||||
RestartForceExitStatus = [ 3 4 ];
|
RestartForceExitStatus = [ 3 4 ];
|
||||||
|
|
||||||
|
# Sandboxing.
|
||||||
|
LockPersonality = true;
|
||||||
|
MemoryDenyWriteExecute = true;
|
||||||
NoNewPrivileges = true;
|
NoNewPrivileges = true;
|
||||||
PrivateUsers = true;
|
PrivateUsers = true;
|
||||||
|
RestrictNamespaces = true;
|
||||||
|
SystemCallArchitectures = "native";
|
||||||
|
SystemCallFilter = "@system-service";
|
||||||
};
|
};
|
||||||
|
|
||||||
Install = { WantedBy = [ "default.target" ]; };
|
Install = { WantedBy = [ "default.target" ]; };
|
||||||
|
|
Loading…
Reference in a new issue