From ccc3a70344d6beb6eba5b9e13efcda721f244f7c Mon Sep 17 00:00:00 2001
From: nixbitcoin <nixbitcoin@i2pmail.org>
Date: Wed, 6 May 2020 10:19:14 +0200
Subject: [PATCH] service hardening: add more restrictions

Add RestrictSUIDSGID
Add RemoveIPC
Add RestrictRealtime
Add ProtectHostname
---
 modules/nix-bitcoin-services.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/modules/nix-bitcoin-services.nix b/modules/nix-bitcoin-services.nix
index e155a41..daf1355 100644
--- a/modules/nix-bitcoin-services.nix
+++ b/modules/nix-bitcoin-services.nix
@@ -21,6 +21,10 @@ with lib;
       LockPersonality = "true";
       IPAddressDeny = "any";
       PrivateUsers = "true";
+      RestrictSUIDSGID = "true";
+      RemoveIPC = "true";
+      RestrictRealtime = "true";
+      ProtectHostname = "true";
       CapabilityBoundingSet = "";
       # @system-service whitelist and docker seccomp blacklist (except for "clone"
       # which is a core requirement for systemd services)