eeva
/
home-manager
mirror of https://github.com/nix-community/home-manager
1
0
Fork 0
Code Issues Releases Wiki Activity

flameshot: add some service sandboxing

This commit is contained in:
Robert Helgesson 2021-08-14 15:13:31 +02:00
parent 654d82f888
commit 72f3bc6fa4
No known key found for this signature in database
GPG Key ID: 36BDAA14C2797E89
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
modules/services/flameshot.nix
View File

@ -34,6 +34,15 @@ in {
Environment = "PATH=${config.home.profileDirectory}/bin";
ExecStart = "${package}/bin/flameshot";
Restart = "on-abort";
# Sandboxing.
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateUsers = true;
RestrictNamespaces = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
};
};
};