Fix memory deny write execute for nodejs services

This commit is contained in:
Jonas Nick 2019-04-27 22:27:25 +00:00
parent a089d65d25
commit d9533edad1
No known key found for this signature in database
GPG Key ID: 4861DBF262123605
4 changed files with 15 additions and 4 deletions

View File

@ -38,7 +38,7 @@ in {
User = "clightning"; User = "clightning";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
} // nix-bitcoin-services.defaultHardening; } // nix-bitcoin-services.nodeHardening;
}; };
}; };
} }

View File

@ -74,7 +74,7 @@ in {
User = "nanopos"; User = "nanopos";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
} // nix-bitcoin-services.defaultHardening; } // nix-bitcoin-services.nodeHardening;
}; };
}; };
} }

View File

@ -1,11 +1,22 @@
{ let
defaultHardening = { defaultHardening = {
PrivateTmp = "true"; PrivateTmp = "true";
ProtectSystem = "full"; ProtectSystem = "full";
ProtectHome = "true";
NoNewPrivileges = "true"; NoNewPrivileges = "true";
PrivateDevices = "true"; PrivateDevices = "true";
MemoryDenyWriteExecute = "true"; MemoryDenyWriteExecute = "true";
ProtectKernelTunables = "true";
ProtectKernelModules = "true";
ProtectControlGroups = "true";
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
LockPersonality = "true";
}; };
in
{
inherit defaultHardening;
# node applications apparently rely on memory write execute
nodeHardening = defaultHardening // { MemoryDenyWriteExecute = "false"; };
} }

View File

@ -64,7 +64,7 @@ in {
User = "clightning"; User = "clightning";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
} // nix-bitcoin-services.defaultHardening; } // nix-bitcoin-services.nodeHardening;
}; };
}; };
} }