Fix memory deny write execute for nodejs services

2019-04-27 22:27:25 +00:00 · 2019-04-27 22:27:25 +00:00 · d9533edad1
commit d9533edad1
parent a089d65d25
4 changed files with 15 additions and 4 deletions
--- a/modules/lightning-charge.nix
+++ b/modules/lightning-charge.nix
@ -38,7 +38,7 @@ in {
          User = "clightning";
          Restart = "on-failure";
          RestartSec = "10s";
-      } // nix-bitcoin-services.defaultHardening;
+      } // nix-bitcoin-services.nodeHardening;
    };
  };
 }
--- a/modules/nanopos.nix
+++ b/modules/nanopos.nix
@ -74,7 +74,7 @@ in {
        User = "nanopos";
        Restart = "on-failure";
        RestartSec = "10s";
-      } // nix-bitcoin-services.defaultHardening;
+      } // nix-bitcoin-services.nodeHardening;
    };
  };
 }
--- a/modules/nix-bitcoin-services.nix
+++ b/modules/nix-bitcoin-services.nix
@ -1,11 +1,22 @@
-{
+let
  defaultHardening = {
      PrivateTmp = "true";
      ProtectSystem = "full";
+      ProtectHome = "true";
      NoNewPrivileges = "true";
      PrivateDevices = "true";
      MemoryDenyWriteExecute = "true";
+      ProtectKernelTunables = "true";
+      ProtectKernelModules = "true";
+      ProtectControlGroups = "true";
+      RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
+      LockPersonality = "true";
  };
+in
+{
+  inherit defaultHardening;
+  # node applications apparently rely on memory write execute
+  nodeHardening = defaultHardening // { MemoryDenyWriteExecute = "false"; };
 }


--- a/modules/spark-wallet.nix
+++ b/modules/spark-wallet.nix
@ -64,7 +64,7 @@ in {
        User = "clightning";
        Restart = "on-failure";
        RestartSec = "10s";
-      } // nix-bitcoin-services.defaultHardening;
+      } // nix-bitcoin-services.nodeHardening;
    };
  };
 }