Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: de7286cf61b2
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: dea2d64c3538
Choose a head ref
  • 2 commits
  • 1 file changed
  • 2 contributors

Commits on Jan 20, 2020

  1. nixos/syncthing.nix: Sandbox the systemd service. 

    Using systemd sandboxing features to harden the syncthing service.
    @picnoir
    picnoir committed Jan 20, 2020

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    Ma27 Maximilian Bosch
    GPG key ID: 091DBF4D1FC46B8E
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    ff8f292 View commit details

Commits on Jan 21, 2020

  1. Merge pull request #78134 from NinjaTrappeur/nin-harden-syncthing 

    nixos/syncthing.nix: Sandbox the systemd service.
    @flokli
    flokli authored Jan 21, 2020
    Copy the full SHA
    dea2d64 View commit details
Showing with 18 additions and 0 deletions.
  1. +18 −0 nixos/modules/services/networking/syncthing.nix
18 changes: 18 additions & 0 deletions nixos/modules/services/networking/syncthing.nix
View file
Original file line number Diff line number Diff line change
@@ -484,6 +484,24 @@ in {
-gui-address=${cfg.guiAddress} \
-home=${cfg.configDir}
'';
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
CapabilityBoundingSet = [
"~CAP_SYS_PTRACE" "~CAP_SYS_ADMIN"
"~CAP_SETGID" "~CAP_SETUID" "~CAP_SETPCAP"
"~CAP_SYS_TIME" "~CAP_KILL"
];
};
};
syncthing-init = mkIf (