rngd: harden service config, from arch

tadeokondrak · May 17, 2019 · 4fa193e · 4fa193e
1 parent f1e8e6e
commit 4fa193e
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/nixos/modules/security/rngd.nix b/nixos/modules/security/rngd.nix
@@ -42,6 +42,11 @@ in
       serviceConfig = {
         ExecStart = "${pkgs.rng-tools}/sbin/rngd -f"
           + optionalString cfg.debug " -d";
+        NoNewPrivileges = true;
+        PrivateNetwork = true;
+        PrivateTmp = true;
+        ProtectSystem = "full";
+        ProtectHome = true;
       };
     };
   };