From 2ea1ee954f1548850baddeeaa4c7560b0c5831df Mon Sep 17 00:00:00 2001
From: Guanran Wang <guanran928@outlook.com>
Date: Tue, 4 Feb 2025 18:46:04 +0800
Subject: [PATCH] nixos/sing-box: harden systemd service

---
 .../modules/services/networking/sing-box.nix  | 31 +++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/nixos/modules/services/networking/sing-box.nix b/nixos/modules/services/networking/sing-box.nix
index 104c75c8105cc..f8c89f9ce761f 100644
--- a/nixos/modules/services/networking/sing-box.nix
+++ b/nixos/modules/services/networking/sing-box.nix
@@ -72,6 +72,37 @@ in
           ""
           "${lib.getExe cfg.package} -D \${STATE_DIRECTORY} -C \${RUNTIME_DIRECTORY} run"
         ];
+
+        # Hardening
+        DeviceAllow = "/dev/net/tun";
+        DevicePolicy = "closed";
+        DynamicUser = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateMounts = true;
+        PrivateTmp = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_NETLINK"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = "@system-service";
+        UMask = "0077";
       };
       wantedBy = [ "multi-user.target" ];
     };