movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-14 14:10:33 +03:00
Code Activity

nixos/ebusd: fix device access

Browse source
This commit is contained in:
Moritz Vogel 2024-11-01 00:16:49 +01:00
parent 79a7ad1c21
commit 0c1feac497
1 changed files with 9 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

12
nixos/modules/services/home-automation/ebusd.nix
View file

@ -155,7 +155,11 @@ in
config =
let
usesDev = lib.hasPrefix "/" cfg.device;
usesDev = lib.any (prefix: lib.hasPrefix prefix cfg.device) [
"/"
"ens:/"
"enh:/"
];
in
lib.mkIf cfg.enable {
systemd.services.ebusd = {
@ -200,12 +204,14 @@ in
# Hardening
CapabilityBoundingSet = "";
DeviceAllow = lib.optionals usesDev [ cfg.device ];
DeviceAllow = lib.optionals usesDev [
(lib.removePrefix "ens:" (lib.removePrefix "enh:" cfg.device))
];
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = false;
NoNewPrivileges = true;
PrivateDevices = usesDev;
PrivateDevices = !usesDev;
PrivateUsers = true;
PrivateTmp = true;
ProtectClock = true;