From 6b0a230d7e460448ee53f050176e1c0aa6a800de Mon Sep 17 00:00:00 2001
From: Gonne <gonne@mathebau.de>
Date: Thu, 4 Apr 2024 17:13:12 +0200
Subject: [PATCH] Restrict HRZ allowlist update service privileges

---
 nixos/modules/mailman.nix | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/nixos/modules/mailman.nix b/nixos/modules/mailman.nix
index 8156d32..16b2c87 100644
--- a/nixos/modules/mailman.nix
+++ b/nixos/modules/mailman.nix
@@ -93,7 +93,24 @@ in {
       serviceConfig = {
         Type = "oneshot";
         User = "mailman";
+        # See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html
         PrivateTmp = true;
+        ProtectHome = true;
+        ReadOnlyPaths = "/";
+        ReadWritePaths = "/tmp";
+        InaccessiblePaths = "-/lost+found";
+        PrivateDevices = true;
+        PrivateUsers = true;
+        ProtectHostname = true;
+        ProtectClock = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
       };
     };