From bcdd4486fc3f075e39f5324088969485b3319735 Mon Sep 17 00:00:00 2001
From: Lu Wang <rebmit@rebmit.moe>
Date: Thu, 5 Dec 2024 21:43:45 +0800
Subject: [PATCH] lib/misc: add serviceHardened

---
 lib/default.nix               |  1 +
 lib/misc/default.nix          |  7 +++++++
 lib/misc/service-hardened.nix | 36 +++++++++++++++++++++++++++++++++++
 3 files changed, 44 insertions(+)
 create mode 100644 lib/misc/default.nix
 create mode 100644 lib/misc/service-hardened.nix

diff --git a/lib/default.nix b/lib/default.nix
index cce6f3f..230fe63 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -7,6 +7,7 @@ let
       callLibs = file: import file { inherit inputs lib self; };
     in
     {
+      misc = callLibs ./misc;
       network = callLibs ./network;
       path = callLibs ./path.nix;
     }
diff --git a/lib/misc/default.nix b/lib/misc/default.nix
new file mode 100644
index 0000000..4b911dd
--- /dev/null
+++ b/lib/misc/default.nix
@@ -0,0 +1,7 @@
+{ lib, self, ... }:
+let
+  serviceHardened = import ./service-hardened.nix { inherit lib self; };
+in
+{
+  inherit serviceHardened;
+}
diff --git a/lib/misc/service-hardened.nix b/lib/misc/service-hardened.nix
new file mode 100644
index 0000000..0d021c6
--- /dev/null
+++ b/lib/misc/service-hardened.nix
@@ -0,0 +1,36 @@
+# Portions of this file are sourced from
+# https://github.com/xddxdd/nixos-config/blob/710791365eef89076a742c000ddc3e719dbc8582/helpers/fn/service-harden.nix
+# https://github.com/NickCao/flakes/blob/3b03efb676ea602575c916b2b8bc9d9cd13b0d85/modules/cloud/services.nix
+{ lib, ... }:
+lib.mapAttrs (_k: lib.mkOptionDefault) {
+  AmbientCapabilities = "";
+  CapabilityBoundingSet = "";
+  LockPersonality = true;
+  MemoryDenyWriteExecute = true;
+  NoNewPrivileges = true;
+  PrivateDevices = true;
+  PrivateMounts = true;
+  PrivateTmp = true;
+  ProcSubset = "pid";
+  ProtectClock = true;
+  ProtectControlGroups = true;
+  ProtectHome = true;
+  ProtectHostname = true;
+  ProtectKernelLogs = true;
+  ProtectKernelModules = true;
+  ProtectKernelTunables = true;
+  ProtectProc = "invisible";
+  ProtectSystem = "strict";
+  RemoveIPC = true;
+  RestrictAddressFamilies = [
+    "AF_UNIX"
+    "AF_INET"
+    "AF_INET6"
+  ];
+  RestrictNamespaces = true;
+  RestrictRealtime = true;
+  RestrictSUIDSGID = true;
+  SystemCallArchitectures = "native";
+  SystemCallErrorNumber = "EPERM";
+  SystemCallFilter = [ "@system-service" ];
+}