movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-13 13:40:28 +03:00
Code Activity

treewide: Remove ineffective capability grants. (#333533)

Browse source
This commit is contained in:
Franz Pletz 2024-11-06 08:12:51 +01:00 committed by GitHub
commit 0fc41ad977
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
12 changed files with 2 additions and 27 deletions
Download patch file Download diff file Expand all files Collapse all files

2
nixos/modules/services/monitoring/prometheus/default.nix
View file

@ -1834,8 +1834,6 @@ in
StateDirectory = cfg.stateDir;
StateDirectoryMode = "0700";
# Hardening
AmbientCapabilities = lib.mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = if (cfg.port < 1024) then [ "CAP_NET_BIND_SERVICE" ] else [ "" ];
DeviceAllow = [ "/dev/null rw" ];
DevicePolicy = "strict";
LockPersonality = true;