From d56a363d3da2deacf4d264af83ced4050b8643a5 Mon Sep 17 00:00:00 2001
From: nixbitcoin <nixbitcoin@i2pmail.org>
Date: Sat, 30 Jan 2021 23:08:38 +0100
Subject: [PATCH] services: improve default hardening

---
 pkgs/lib.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkgs/lib.nix b/pkgs/lib.nix
index e42b641..a024ef9 100644
--- a/pkgs/lib.nix
+++ b/pkgs/lib.nix
@@ -15,6 +15,11 @@ let self = {
       MemoryDenyWriteExecute = "true";
       ProtectKernelTunables = "true";
       ProtectKernelModules = "true";
+      ProtectKernelLogs = "true";
+      ProtectClock = "true";
+      # Test and enable these when systemd v247 is available
+      # ProtectProc = "invisible";
+      # ProcSubset = "pid";
       ProtectControlGroups = "true";
       RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
       RestrictNamespaces = "true";