diff options
Diffstat (limited to 'nixpkgs/nixos/modules/services/networking/ndppd.nix')
| -rw-r--r-- | nixpkgs/nixos/modules/services/networking/ndppd.nix | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/nixpkgs/nixos/modules/services/networking/ndppd.nix b/nixpkgs/nixos/modules/services/networking/ndppd.nix index 92088623517..e015f76f622 100644 --- a/nixpkgs/nixos/modules/services/networking/ndppd.nix +++ b/nixpkgs/nixos/modules/services/networking/ndppd.nix @@ -161,7 +161,25 @@ in { documentation = [ "man:ndppd(1)" "man:ndppd.conf(5)" ]; after = [ "network-pre.target" ]; wantedBy = [ "multi-user.target" ]; - serviceConfig.ExecStart = "${pkgs.ndppd}/bin/ndppd -c ${ndppdConf}"; + serviceConfig = { + ExecStart = "${pkgs.ndppd}/bin/ndppd -c ${ndppdConf}"; + + # Sandboxing + CapabilityBoundingSet = "CAP_NET_RAW CAP_NET_ADMIN"; + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + RestrictAddressFamilies = "AF_INET6 AF_PACKET AF_NETLINK"; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; }; }; } |