From a0085187a9ddf1dbb998ed359d2cfb800e298bec Mon Sep 17 00:00:00 2001
From: Simon Gardling <titaniumtown@proton.me>
Date: Tue, 14 Apr 2026 21:59:08 -0400
Subject: [PATCH] fix systemd-tmpfiles

---
 modules/security.nix | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/modules/security.nix b/modules/security.nix
index 947bd7c..a0961c6 100644
--- a/modules/security.nix
+++ b/modules/security.nix
@@ -83,6 +83,17 @@
 
     # Ignore broadcast ICMP (SMURF amplification mitigation).
     "net.ipv4.icmp_echo_ignore_broadcasts" = true;
+
+    # Filesystem hardening: prevent hardlink/symlink-based attacks.
+    # protected_hardlinks/symlinks: block unprivileged creation of hard/symlinks
+    # to files the user doesn't own (prevents TOCTOU privilege escalation).
+    # protected_fifos/regular (level 2): restrict opening FIFOs and regular files
+    # in world-writable sticky directories to owner/group match only.
+    # Also required for systemd-tmpfiles to chmod hardlinked files.
+    "fs.protected_hardlinks" = true;
+    "fs.protected_symlinks" = true;
+    "fs.protected_fifos" = 2;
+    "fs.protected_regular" = 2;
   };
 
   services = {