dandri/server
1
0
Fork 0
mirror of https://github.com/spacebarchat/server.git synced 2026-05-14 16:15:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

Reduce service permissions

Browse Source
This commit is contained in:
Rory&
2025-12-28 10:37:27 +01:00
parent 11e2e35746
commit a79ea3a5bc
1 changed files with 31 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
nix/modules/default/default.nix
+31
View File
@@ -223,10 +223,14 @@ in
++ (if cfg.captchaSiteKeyPath != null then [ "captchaSiteKey:${cfg.captchaSiteKeyPath}" ] else [ ])
++ (if cfg.ipdataApiKeyPath != null then [ "ipdataApiKey:${cfg.ipdataApiKeyPath}" ] else [ ])
++ (if cfg.requestSignaturePath != null then [ "requestSignature:${cfg.requestSignaturePath}" ] else [ ]);
User = "spacebarchat";
Group = "spacebarchat";
DynamicUser = false;
LockPersonality = true;
NoNewPrivileges = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
@@ -247,7 +251,34 @@ in
SystemCallFilter = [
"@system-service"
"~@privileged"
"@chown" # Required for copying files with FICLONE, apparently.
];
CapabilityBoundingSet=[
"~CAP_SYS_ADMIN"
"~CAP_AUDIT_*"
"~CAP_NET_(BIND_SERVICE|BROADCAST|RAW)"
"~CAP_NET_ADMIN" # No use for this as we don't currently use iptables for enforcing instance bans
"~CAP_SYS_TIME"
"~CAP_KILL"
"~CAP_(DAC_*|FOWNER|IPC_OWNER)"
"~CAP_LINUX_IMMUTABLE"
"~CAP_IPC_LOCK"
"~CAP_BPF"
"~CAP_SYS_TTY_CONFIG"
"~CAP_SYS_BOOT"
"~CAP_SYS_CHROOT"
"~CAP_BLOCK_SUSPEND"
"~CAP_LEASE"
"~CAP_(CHOWN|FSETID|FSETFCAP)" # Check if we need CAP_CHOWN for `fchown()` (FICLONE)?
"~CAP_SET(UID|GID|PCAP)"
"~CAP_MAC_*"
"~CAP_SYS_PTRACE"
"~CAP_SYS_(NICE|RESOURCE)"
"~CAP_SYS_RAWIO"
"~CAP_SYSLOG"
];
RestrictSUIDSGID = true;
WorkingDirectory = "/var/lib/spacebar";
StateDirectory = "spacebar";
StateDirectoryMode = "0750";