MirrorHub/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-17 15:22:59 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

nixos/tor: harden ProcSubset and ProtectProc

Browse source
This commit is contained in:
Julien Moutinho 2021-05-10 15:29:52 +02:00
parent acd5e6707e
commit cd1f6bc712
1 changed files with 2 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
nixos/modules/services/security/tor.nix
View file

@ -1007,6 +1007,7 @@ in
# Tor cannot currently bind privileged port when PrivateUsers=true,
# see https://gitlab.torproject.org/legacy/trac/-/issues/20930
PrivateUsers = !bindsPrivilegedPort;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
@ -1014,6 +1015,7 @@ in
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];