From ace96d5f7cbb45663d281689cd06c235a1f82278 Mon Sep 17 00:00:00 2001
From: Gonne <gonne@mathebau.de>
Date: Thu, 4 Apr 2024 17:13:12 +0200
Subject: [PATCH] Restrict HRZ allowlist update service privileges

---
 nixos/modules/mailman.nix | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/nixos/modules/mailman.nix b/nixos/modules/mailman.nix
index d106c0f..597a2f1 100644
--- a/nixos/modules/mailman.nix
+++ b/nixos/modules/mailman.nix
@@ -93,7 +93,25 @@ in {
       serviceConfig = {
         Type = "oneshot";
         User = "mailman";
+        NoNewPrivileges = true;
+        # See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html
         PrivateTmp = true;
+        ProtectHome = true;
+        ReadOnlyPaths = "/";
+        ReadWritePaths = "/tmp";
+        InaccessiblePaths = "-/lost+found";
+        PrivateDevices = true;
+        PrivateUsers = true;
+        ProtectHostname = true;
+        ProtectClock = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectKernelLogs = true;
+        ProtectControlGroups = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
       };
     };