privatevoid.net/depot
1
1
Fork 0
Code Issues 23 Pull requests 2 Projects 3 Releases Packages Wiki Activity Actions

cluster/services/hercules-ci-multi-agent: remove some hardening options that break effects

Browse source
This commit is contained in:
Max Headroom 2023-10-29 15:22:56 +01:00
parent bcaecf492a
commit f6813d933d
1 changed files with 0 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
cluster/services/hercules-ci-multi-agent/modules/multi-agent-refactored/default.nix
View file

@ -64,20 +64,13 @@
LimitSTACK = 256 * 1024 * 1024;
# Hardening.
CapabilityBoundingSet = "";
DeviceAllow = "";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "full";
RemoveIPC = true;
RestrictRealtime = true;