506bc7ba02
- Set an explicit umask that allows u+rwx and g+r. - Adds `ProtectControlGroups` and `ProtectKernelLogs`, there should be no need to access either. - Adds `ProtectClock` to prevent write-access to the system clock. - `ProtectProc` hides processes from other users within the /proc filesystem and `ProcSubSet` hides all files/directories unrelated to the process management of the units process. - Sets `RemoveIPC`, as there is no SysV or POSIX IPC within nginx that I know of. - Restricts the creation of arbitrary namespaces - Adds a reasonable `SystemCallFilter` preventing calls to @privileged, @obsolete and others. And finally applies some sorting based on the order these options appear in systemd.exec(5). |
||
|---|---|---|
| .. | ||
| doc | ||
| lib | ||
| maintainers | ||
| modules | ||
| tests | ||
| COPYING | ||
| default.nix | ||
| README | ||
| release-combined.nix | ||
| release-small.nix | ||
| release.nix | ||
*** NixOS *** NixOS is a Linux distribution based on the purely functional package management system Nix. More information can be found at https://nixos.org/nixos and in the manual in doc/manual.