From 2b0ee787dd38414101d4b76b5a1818c9a21c57cd Mon Sep 17 00:00:00 2001 From: snicket2100 <57048005+snicket2100@users.noreply.github.com> Date: Mon, 13 Apr 2020 10:43:32 +0200 Subject: [PATCH] mosquitto: systemd service sandboxing running the service in a sandbox. read-only root file system, with tmpfs mounted in /tmp, hidden /root and /home, temporary /dev. the only writeable path is the data directory, which according to my experiments is enough for the service to work correctly. --- nixos/modules/services/networking/mosquitto.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/nixos/modules/services/networking/mosquitto.nix b/nixos/modules/services/networking/mosquitto.nix index d2feb93e2b72..ec109c4e6347 100644 --- a/nixos/modules/services/networking/mosquitto.nix +++ b/nixos/modules/services/networking/mosquitto.nix @@ -204,6 +204,16 @@ in Restart = "on-failure"; ExecStart = "${pkgs.mosquitto}/bin/mosquitto -c ${mosquittoConf}"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + + ProtectSystem = "strict"; + ProtectHome = true; + PrivateDevices = true; + PrivateTmp = true; + ReadWritePaths = "${cfg.dataDir}"; + ProtectControlGroups = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + NoNewPrivileges = true; }; preStart = '' rm -f ${cfg.dataDir}/passwd