Last active
July 9, 2024 15:00
-
-
Save mweinelt/479e7e2cf80eb5218eb55fbe1e17d8fa to your computer and use it in GitHub Desktop.
miniflux systemd unit nixos/upstream
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| vm-test-run-miniflux> default: NAME DESCRIPTION E | |
| vm-test-run-miniflux> ✓ SystemCallFilter=~@swap System call allow list defined for service, and @swap is not included | |
| vm-test-run-miniflux> ✗ SystemCallFilter=~@resources System call allow list defined for service, and @resources is included (e.g. ioprio_set is allowed) 2 | |
| vm-test-run-miniflux> ✓ SystemCallFilter=~@reboot System call allow list defined for service, and @reboot is not included | |
| vm-test-run-miniflux> ✓ SystemCallFilter=~@raw-io System call allow list defined for service, and @raw-io is not included | |
| vm-test-run-miniflux> ✓ SystemCallFilter=~@privileged System call allow list defined for service, and @privileged is not included | |
| vm-test-run-miniflux> ✓ SystemCallFilter=~@obsolete System call allow list defined for service, and @obsolete is not included | |
| vm-test-run-miniflux> ✓ SystemCallFilter=~@mount System call allow list defined for service, and @mount is not included | |
| vm-test-run-miniflux> ✓ SystemCallFilter=~@module System call allow list defined for service, and @module is not included | |
| vm-test-run-miniflux> ✓ SystemCallFilter=~@debug System call allow list defined for service, and @debug is not included | |
| vm-test-run-miniflux> ✓ SystemCallFilter=~@cpu-emulation System call allow list defined for service, and @cpu-emulation is not included | |
| vm-test-run-miniflux> ✓ SystemCallFilter=~@clock System call allow list defined for service, and @clock is not included | |
| vm-test-run-miniflux> ✓ RemoveIPC= Service user cannot leave SysV IPC objects around | |
| vm-test-run-miniflux> ✗ RootDirectory=/RootImage= Service runs within the host's root directory 1 | |
| vm-test-run-miniflux> ✓ User=/DynamicUser= Service runs under a transient non-root user identity | |
| vm-test-run-miniflux> ✓ RestrictRealtime= Service realtime scheduling access is restricted | |
| vm-test-run-miniflux> ✓ CapabilityBoundingSet=~CAP_SYS_TIME Service processes cannot change the system clock | |
| vm-test-run-miniflux> ✓ NoNewPrivileges= Service processes cannot acquire new privileges | |
| vm-test-run-miniflux> ✓ AmbientCapabilities= Service process does not receive ambient capabilities | |
| vm-test-run-miniflux> ✓ CapabilityBoundingSet=~CAP_BPF Service may load BPF programs | |
| vm-test-run-miniflux> ✓ SystemCallArchitectures= Service may execute system calls only with native ABI | |
| vm-test-run-miniflux> ✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 1 | |
| vm-test-run-miniflux> ✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 3 | |
| vm-test-run-miniflux> ✓ ProtectSystem= Service has strict read-only access to the OS file hierarchy | |
| vm-test-run-miniflux> ✓ ProtectProc= Service has restricted access to process tree (/proc hidepid=) | |
| vm-test-run-miniflux> ✓ SupplementaryGroups= Service has no supplementary groups | |
| vm-test-run-miniflux> ✓ CapabilityBoundingSet=~CAP_SYS_RAWIO Service has no raw I/O access | |
| vm-test-run-miniflux> ✓ CapabilityBoundingSet=~CAP_SYS_PTRACE Service has no ptrace() debugging abilities | |
| vm-test-run-miniflux> ✓ CapabilityBoundingSet=~CAP_SYS_(NICE|RESOURCE) Service has no privileges to change resource use parameters | |
| vm-test-run-miniflux> ✓ CapabilityBoundingSet=~CAP_NET_ADMIN Service has no network configuration privileges | |
| vm-test-run-miniflux> ✓ CapabilityBoundingSet=~CAP_NET_(BIND_SERVICE|BROADCAST|RAW) Service has no elevated networking privileges | |
| vm-test-run-miniflux> ✓ CapabilityBoundingSet=~CAP_AUDIT_* Service has no audit subsystem access | |
| vm-test-run-miniflux> ✓ CapabilityBoundingSet=~CAP_SYS_ADMIN Service has no administrator privileges | |
| vm-test-run-miniflux> ✓ PrivateTmp= Service has no access to other software's temporary files | |
| vm-test-run-miniflux> ✓ ProcSubset= Service has no access to non-process /proc files (/proc subset=) | |
| vm-test-run-miniflux> ✓ CapabilityBoundingSet=~CAP_SYSLOG Service has no access to kernel logging | |
| vm-test-run-miniflux> ✓ ProtectHome= Service has no access to home directories | |
| vm-test-run-miniflux> ✓ PrivateDevices= Service has no access to hardware devices | |
| vm-test-run-miniflux> ✗ PrivateNetwork= Service has access to the host's network 5 | |
| vm-test-run-miniflux> ✗ DeviceAllow= Service has a device ACL with some special devices: char-rtc:r 1 | |
| vm-test-run-miniflux> ✓ KeyringMode= Service doesn't share key material with other services | |
| vm-test-run-miniflux> ✓ Delegate= Service does not maintain its own delegated control group subtree | |
| vm-test-run-miniflux> ✓ PrivateUsers= Service does not have access to other users | |
| vm-test-run-miniflux> ✗ IPAddressDeny= Service does not define an IP address allow list 2 | |
| vm-test-run-miniflux> ✓ NotifyAccess= Service child processes cannot alter service state | |
| vm-test-run-miniflux> ✓ ProtectClock= Service cannot write to the hardware clock or system clock | |
| vm-test-run-miniflux> ✓ CapabilityBoundingSet=~CAP_SYS_PACCT Service cannot use acct() | |
| vm-test-run-miniflux> ✓ CapabilityBoundingSet=~CAP_KILL Service cannot send UNIX signals to arbitrary processes | |
| vm-test-run-miniflux> ✓ ProtectKernelLogs= Service cannot read from or write to the kernel log ring buffer | |
| vm-test-run-miniflux> ✓ CapabilityBoundingSet=~CAP_WAKE_ALARM Service cannot program timers that wake up the system | |
| vm-test-run-miniflux> ✓ CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER) Service cannot override UNIX file/IPC permission checks | |
| vm-test-run-miniflux> ✓ ProtectControlGroups= Service cannot modify the control group file system | |
| vm-test-run-miniflux> ✓ CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE Service cannot mark files immutable | |
| vm-test-run-miniflux> ✓ CapabilityBoundingSet=~CAP_IPC_LOCK Service cannot lock memory into RAM | |
| vm-test-run-miniflux> ✓ ProtectKernelModules= Service cannot load or read kernel modules | |
| vm-test-run-miniflux> ✓ CapabilityBoundingSet=~CAP_SYS_MODULE Service cannot load kernel modules | |
| vm-test-run-miniflux> ✓ CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG Service cannot issue vhangup() | |
| vm-test-run-miniflux> ✓ CapabilityBoundingSet=~CAP_SYS_BOOT Service cannot issue reboot() | |
| vm-test-run-miniflux> ✓ CapabilityBoundingSet=~CAP_SYS_CHROOT Service cannot issue chroot() | |
| vm-test-run-miniflux> ✓ PrivateMounts= Service cannot install system mounts | |
| vm-test-run-miniflux> ✓ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND Service cannot establish wake locks | |
| vm-test-run-miniflux> ✓ MemoryDenyWriteExecute= Service cannot create writable executable memory mappings | |
| vm-test-run-miniflux> ✓ RestrictNamespaces=~user Service cannot create user namespaces | |
| vm-test-run-miniflux> ✓ RestrictNamespaces=~pid Service cannot create process namespaces | |
| vm-test-run-miniflux> ✓ RestrictNamespaces=~net Service cannot create network namespaces | |
| vm-test-run-miniflux> ✓ RestrictNamespaces=~uts Service cannot create hostname namespaces | |
| vm-test-run-miniflux> ✓ RestrictNamespaces=~mnt Service cannot create file system namespaces | |
| vm-test-run-miniflux> ✓ CapabilityBoundingSet=~CAP_LEASE Service cannot create file leases | |
| vm-test-run-miniflux> ✓ CapabilityBoundingSet=~CAP_MKNOD Service cannot create device nodes | |
| vm-test-run-miniflux> ✓ RestrictNamespaces=~cgroup Service cannot create cgroup namespaces | |
| vm-test-run-miniflux> ✓ RestrictNamespaces=~ipc Service cannot create IPC namespaces | |
| vm-test-run-miniflux> ✓ ProtectHostname= Service cannot change system host/domainname | |
| vm-test-run-miniflux> ✓ CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP) Service cannot change file ownership/access mode/capabilities | |
| vm-test-run-miniflux> ✓ CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP) Service cannot change UID/GID identities/capabilities | |
| vm-test-run-miniflux> ✓ LockPersonality= Service cannot change ABI personality | |
| vm-test-run-miniflux> ✓ ProtectKernelTunables= Service cannot alter kernel tunables (/proc/sys, …) | |
| vm-test-run-miniflux> ✓ RestrictAddressFamilies=~AF_PACKET Service cannot allocate packet sockets | |
| vm-test-run-miniflux> ✓ RestrictAddressFamilies=~AF_NETLINK Service cannot allocate netlink sockets | |
| vm-test-run-miniflux> ✓ RestrictAddressFamilies=~… Service cannot allocate exotic sockets | |
| vm-test-run-miniflux> ✓ CapabilityBoundingSet=~CAP_MAC_* Service cannot adjust SMACK MAC | |
| vm-test-run-miniflux> ✓ RestrictSUIDSGID= SUID/SGID file creation by service is restricted | |
| vm-test-run-miniflux> ✓ UMask= Files created by service are accessible only by service's own user by default | |
| vm-test-run-miniflux> | |
| vm-test-run-miniflux> → Overall exposure level for miniflux.service: 1.2 OK :-) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| vm-test-run-miniflux> default: NAME DESCRIPTION EXPOSURE | |
| vm-test-run-miniflux> ✗ RemoveIPC= Service user may leave SysV IPC objects around 0.1 | |
| vm-test-run-miniflux> ✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1 | |
| vm-test-run-miniflux> ✓ User=/DynamicUser= Service runs under a static non-root user identity | |
| vm-test-run-miniflux> ✓ RestrictRealtime= Service realtime scheduling access is restricted | |
| vm-test-run-miniflux> ✓ CapabilityBoundingSet=~CAP_SYS_TIME Service processes cannot change the system clock | |
| vm-test-run-miniflux> ✓ NoNewPrivileges= Service processes cannot acquire new privileges | |
| vm-test-run-miniflux> ✗ AmbientCapabilities= Service process receives ambient capabilities 0.1 | |
| vm-test-run-miniflux> ✗ CapabilityBoundingSet=~CAP_SYS_PACCT Service may use acct() 0.1 | |
| vm-test-run-miniflux> ✗ CapabilityBoundingSet=~CAP_KILL Service may send UNIX signals to arbitrary processes 0.1 | |
| vm-test-run-miniflux> ✗ CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER) Service may override UNIX file/IPC permission checks 0.2 | |
| vm-test-run-miniflux> ✗ CapabilityBoundingSet=~CAP_BPF Service may not load BPF programs 0.1 | |
| vm-test-run-miniflux> ✗ CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE Service may mark files immutable 0.1 | |
| vm-test-run-miniflux> ✗ CapabilityBoundingSet=~CAP_IPC_LOCK Service may lock memory into RAM 0.1 | |
| vm-test-run-miniflux> ✗ CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG Service may issue vhangup() 0.1 | |
| vm-test-run-miniflux> ✗ CapabilityBoundingSet=~CAP_SYS_BOOT Service may issue reboot() 0.1 | |
| vm-test-run-miniflux> ✗ CapabilityBoundingSet=~CAP_SYS_CHROOT Service may issue chroot() 0.1 | |
| vm-test-run-miniflux> ✓ SystemCallArchitectures= Service may execute system calls only with native ABI | |
| vm-test-run-miniflux> ✗ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND Service may establish wake locks 0.1 | |
| vm-test-run-miniflux> ✗ CapabilityBoundingSet=~CAP_LEASE Service may create file leases 0.1 | |
| vm-test-run-miniflux> ✗ RestrictSUIDSGID= Service may create SUID/SGID files 0.2 | |
| vm-test-run-miniflux> ✗ CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP) Service may change file ownership/access mode/capabilities unrestricted 0.2 | |
| vm-test-run-miniflux> ✗ CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP) Service may change UID/GID identities/capabilities 0.3 | |
| vm-test-run-miniflux> ✗ RestrictAddressFamilies=~AF_PACKET Service may allocate packet sockets 0.2 | |
| vm-test-run-miniflux> ✗ RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets 0.1 | |
| vm-test-run-miniflux> ✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1 | |
| vm-test-run-miniflux> ✗ RestrictAddressFamilies=~… Service may allocate exotic sockets 0.3 | |
| vm-test-run-miniflux> ✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3 | |
| vm-test-run-miniflux> ✗ CapabilityBoundingSet=~CAP_MAC_* Service may adjust SMACK MAC 0.1 | |
| vm-test-run-miniflux> ✓ ProtectSystem= Service has strict read-only access to the OS file hierarchy | |
| vm-test-run-miniflux> ✗ CapabilityBoundingSet=~CAP_SYS_PTRACE Service has ptrace() debugging abilities 0.3 | |
| vm-test-run-miniflux> ✗ CapabilityBoundingSet=~CAP_SYS_(NICE|RESOURCE) Service has privileges to change resource use parameters 0.1 | |
| vm-test-run-miniflux> ✓ SupplementaryGroups= Service has no supplementary groups | |
| vm-test-run-miniflux> ✓ CapabilityBoundingSet=~CAP_SYS_RAWIO Service has no raw I/O access | |
| vm-test-run-miniflux> ✓ PrivateTmp= Service has no access to other software's temporary files | |
| vm-test-run-miniflux> ✓ CapabilityBoundingSet=~CAP_SYSLOG Service has no access to kernel logging | |
| vm-test-run-miniflux> ✓ ProtectHome= Service has no access to home directories | |
| vm-test-run-miniflux> ✓ PrivateDevices= Service has no access to hardware devices | |
| vm-test-run-miniflux> ✗ CapabilityBoundingSet=~CAP_NET_ADMIN Service has network configuration privileges 0.2 | |
| vm-test-run-miniflux> ✗ ProtectProc= Service has full access to process tree (/proc hidepid=) 0.2 | |
| vm-test-run-miniflux> ✗ ProcSubset= Service has full access to non-process /proc files (/proc subset=) 0.1 | |
| vm-test-run-miniflux> ✗ CapabilityBoundingSet=~CAP_NET_(BIND_SERVICE|BROADCAST|RAW) Service has elevated networking privileges 0.1 | |
| vm-test-run-miniflux> ✗ CapabilityBoundingSet=~CAP_AUDIT_* Service has audit subsystem access 0.1 | |
| vm-test-run-miniflux> ✗ CapabilityBoundingSet=~CAP_SYS_ADMIN Service has administrator privileges 0.3 | |
| vm-test-run-miniflux> ✗ PrivateNetwork= Service has access to the host's network 0.5 | |
| vm-test-run-miniflux> ✗ PrivateUsers= Service has access to other users 0.2 | |
| vm-test-run-miniflux> ✗ DeviceAllow= Service has a device ACL with some special devices: char-rtc:r 0.1 | |
| vm-test-run-miniflux> ✓ KeyringMode= Service doesn't share key material with other services | |
| vm-test-run-miniflux> ✓ Delegate= Service does not maintain its own delegated control group subtree | |
| vm-test-run-miniflux> ✗ SystemCallFilter=~@clock Service does not filter system calls 0.2 | |
| vm-test-run-miniflux> ✗ SystemCallFilter=~@cpu-emulation Service does not filter system calls 0.1 | |
| vm-test-run-miniflux> ✗ SystemCallFilter=~@debug Service does not filter system calls 0.2 | |
| vm-test-run-miniflux> ✗ SystemCallFilter=~@module Service does not filter system calls 0.2 | |
| vm-test-run-miniflux> ✗ SystemCallFilter=~@mount Service does not filter system calls 0.2 | |
| vm-test-run-miniflux> ✗ SystemCallFilter=~@obsolete Service does not filter system calls 0.1 | |
| vm-test-run-miniflux> ✗ SystemCallFilter=~@privileged Service does not filter system calls 0.2 | |
| vm-test-run-miniflux> ✗ SystemCallFilter=~@raw-io Service does not filter system calls 0.2 | |
| vm-test-run-miniflux> ✗ SystemCallFilter=~@reboot Service does not filter system calls 0.2 | |
| vm-test-run-miniflux> ✗ SystemCallFilter=~@resources Service does not filter system calls 0.2 | |
| vm-test-run-miniflux> ✗ SystemCallFilter=~@swap Service does not filter system calls 0.2 | |
| vm-test-run-miniflux> ✗ IPAddressDeny= Service does not define an IP address allow list 0.2 | |
| vm-test-run-miniflux> ✓ NotifyAccess= Service child processes cannot alter service state | |
| vm-test-run-miniflux> ✓ ProtectClock= Service cannot write to the hardware clock or system clock | |
| vm-test-run-miniflux> ✓ ProtectKernelLogs= Service cannot read from or write to the kernel log ring buffer | |
| vm-test-run-miniflux> ✓ CapabilityBoundingSet=~CAP_WAKE_ALARM Service cannot program timers that wake up the system | |
| vm-test-run-miniflux> ✓ ProtectControlGroups= Service cannot modify the control group file system | |
| vm-test-run-miniflux> ✓ ProtectKernelModules= Service cannot load or read kernel modules | |
| vm-test-run-miniflux> ✓ CapabilityBoundingSet=~CAP_SYS_MODULE Service cannot load kernel modules | |
| vm-test-run-miniflux> ✓ PrivateMounts= Service cannot install system mounts | |
| vm-test-run-miniflux> ✓ MemoryDenyWriteExecute= Service cannot create writable executable memory mappings | |
| vm-test-run-miniflux> ✓ RestrictNamespaces=~user Service cannot create user namespaces | |
| vm-test-run-miniflux> ✓ RestrictNamespaces=~pid Service cannot create process namespaces | |
| vm-test-run-miniflux> ✓ RestrictNamespaces=~net Service cannot create network namespaces | |
| vm-test-run-miniflux> ✓ RestrictNamespaces=~uts Service cannot create hostname namespaces | |
| vm-test-run-miniflux> ✓ RestrictNamespaces=~mnt Service cannot create file system namespaces | |
| vm-test-run-miniflux> ✓ CapabilityBoundingSet=~CAP_MKNOD Service cannot create device nodes | |
| vm-test-run-miniflux> ✓ RestrictNamespaces=~cgroup Service cannot create cgroup namespaces | |
| vm-test-run-miniflux> ✓ RestrictNamespaces=~ipc Service cannot create IPC namespaces | |
| vm-test-run-miniflux> ✓ ProtectHostname= Service cannot change system host/domainname | |
| vm-test-run-miniflux> ✓ LockPersonality= Service cannot change ABI personality | |
| vm-test-run-miniflux> ✓ ProtectKernelTunables= Service cannot alter kernel tunables (/proc/sys, …) | |
| vm-test-run-miniflux> ✗ UMask= Files created by service are world-readable by default 0.1 | |
| vm-test-run-miniflux> | |
| vm-test-run-miniflux> → Overall exposure level for miniflux.service: 5.5 MEDIUM :-| |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment