aboutsummaryrefslogtreecommitdiff
path: root/nixpkgs/nixos/modules/services/security/usbguard.nix
diff options
context:
space:
mode:
Diffstat (limited to 'nixpkgs/nixos/modules/services/security/usbguard.nix')
-rw-r--r--nixpkgs/nixos/modules/services/security/usbguard.nix23
1 files changed, 23 insertions, 0 deletions
diff --git a/nixpkgs/nixos/modules/services/security/usbguard.nix b/nixpkgs/nixos/modules/services/security/usbguard.nix
index 4ced5acd9bd..f4118eb87fc 100644
--- a/nixpkgs/nixos/modules/services/security/usbguard.nix
+++ b/nixpkgs/nixos/modules/services/security/usbguard.nix
@@ -207,6 +207,29 @@ in {
Type = "simple";
ExecStart = ''${cfg.package}/bin/usbguard-daemon -P -k -c ${daemonConfFile}'';
Restart = "on-failure";
+
+ AmbientCapabilities = "";
+ CapabilityBoundingSet = "CAP_CHOWN CAP_FOWNER";
+ DeviceAllow = "/dev/null rw";
+ DevicePolicy = "strict";
+ IPAddressDeny = "any";
+ LockPersonality = true;
+ MemoryDenyWriteExecute = true;
+ NoNewPrivileges = true;
+ PrivateDevices = true;
+ PrivateTmp = true;
+ ProtectControlGroups = true;
+ ProtectHome = true;
+ ProtectKernelModules = true;
+ ProtectSystem = true;
+ ReadOnlyPaths = "-/";
+ ReadWritePaths = "-/dev/shm -${dirOf cfg.auditFilePath} -/tmp -${dirOf cfg.ruleFile}";
+ RestrictAddressFamilies = "AF_UNIX AF_NETLINK";
+ RestrictNamespaces = true;
+ RestrictRealtime = true;
+ SystemCallArchitectures = "native";
+ SystemCallFilter = "@system-service";
+ UMask = "0077";
};
};
};
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-29 04:40:59 +0000