rrvsh/pantheon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor(networking): harden networkmanager systemd services

Browse source
This commit is contained in:
Mohammad Rafiq 2025-04-02 16:16:10 +08:00
parent f450885e01
commit 76381b19c5
No known key found for this signature in database
2 changed files with 70 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

28
modules/networking.nix
View file

@ -5,6 +5,34 @@
...
}:
{
systemd.services.NetworkManager-dispatcher.serviceConfig = {
ProtectClock = true; # Prevents the service from changing the system time or timezone.
ProtectKernelTunables = true; # Restricts the service's ability to modify kernel parameters via sysctl.
ProtectKernelModules = true; # Prevents the service from loading or unloading kernel modules.
ProtectKernelLogs = true; # Prevents the service from reading kernel logs directly.
SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap"; # Whitelists system calls, blocking all others based on specified groups.
ProtectControlGroups = true; # Prevents the service from joining or modifying control groups other than its own.
RestrictNamespaces = true; # Enforces stricter namespace isolation, preventing user namespace creation/joining.
LockPersonality = true; # Disables the `personality()` system call, preventing execution domain changes.
MemoryDenyWriteExecute = true; # Prevents the service from mapping memory pages as both writable and executable (W^X).
RestrictRealtime = true; # Prevents the service from using real-time scheduling policies.
RestrictSUIDSGID = true; # Prevents the service from utilizing setuid/setgid functionality.
};
systemd.services.NetworkManager.serviceConfig = {
ProtectClock = true; # Prevents the service from changing the system time or timezone.
ProtectKernelTunables = true; # Restricts the service's ability to modify kernel parameters via sysctl.
ProtectKernelModules = true; # Prevents the service from loading or unloading kernel modules.
ProtectKernelLogs = true; # Prevents the service from reading kernel logs directly.
SystemCallFilter = "~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap"; # Whitelists system calls, blocking all others based on specified groups.
ProtectControlGroups = true; # Prevents the service from joining or modifying control groups other than its own.
RestrictNamespaces = true; # Enforces stricter namespace isolation, preventing user namespace creation/joining.
LockPersonality = true; # Disables the `personality()` system call, preventing execution domain changes.
MemoryDenyWriteExecute = true; # Prevents the service from mapping memory pages as both writable and executable (W^X).
RestrictRealtime = true; # Prevents the service from using real-time scheduling policies.
RestrictSUIDSGID = true; # Prevents the service from utilizing setuid/setgid functionality.
};
networking = {
hostName = hostname;
useDHCP = lib.mkDefault true;