jolheiser/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

nixos/mastodon: add new sandboxing options

Browse Source
This commit is contained in:
Izorkin 2021-05-12 11:22:44 +03:00 committed by Kerstin
parent e62c9ce932
commit 943f15d4b7
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
nixos/modules/services/web-apps/mastodon.nix
View File

@ -50,6 +50,9 @@ let
# Logs directory and mode
LogsDirectory = "mastodon";
LogsDirectoryMode = "0750";
# Proc filesystem
ProcSubset = "pid";
ProtectProc = "invisible";
# Access write directories
UMask = "0027";
# Capabilities
@ -74,6 +77,7 @@ let
MemoryDenyWriteExecute = false;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RemoveIPC = true;
PrivateMounts = true;
# System Call Filtering
SystemCallArchitectures = "native";