Commit `057133daf2d2`

Vincent Demeester <vincent@sbr.pm>

2025-07-22 22:29:17

systems: hardened the acpid services

Trying something out, will do it for more services as we go. Signed-off-by: Vincent Demeester <vincent@sbr.pm>

main

1 parent 0c501f2

Changed files (1)

systems

common

hardware

acpid.nix

@@ -2,4 +2,15 @@ _: {
   services.acpid = {
     enable = true;
   };
+  systemd.services.acpid.serviceConfig = {
+    ProtectSystem = "full";
+    ProtectHome = true;
+    RestrictAddressFamilies = [
+      "AF_INET"
+      "AF_INET6"
+    ];
+    SystemCallFilter = "~@clock @cpu-emulation @debug @module @mount @raw-io @reboot @swap";
+    ProtectKernelTunables = true;
+    ProtectKernelModules = true;
+  };
 }

Commit 057133daf2d2

Commit `057133daf2d2`