movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-14 21:49:34 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixos/dhcpcd: update sandboxing options

Browse source
This commit is contained in:
Izorkin 2024-10-16 16:43:04 +03:00
parent 5dec6c3523
commit 21bb7ea948
No known key found for this signature in database
GPG key ID: 1436C1B3F3679F09
1 changed files with 2 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
nixos/modules/services/networking/dhcpcd.nix
View file

@ -249,6 +249,7 @@ in
ExecReload = "${dhcpcd}/sbin/dhcpcd --rebind"; ExecReload = "${dhcpcd}/sbin/dhcpcd --rebind";
Restart = "always"; Restart = "always";
AmbientCapabilities = [ "CAP_NET_ADMIN" "CAP_NET_RAW" "CAP_NET_BIND_SERVICE" ]; AmbientCapabilities = [ "CAP_NET_ADMIN" "CAP_NET_RAW" "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = [ "CAP_NET_ADMIN" "CAP_NET_RAW" "CAP_NET_BIND_SERVICE" ];
ReadWritePaths = [ "/proc/sys/net/ipv4" ] ReadWritePaths = [ "/proc/sys/net/ipv4" ]
++ lib.optional cfgN.enableIPv6 "/proc/sys/net/ipv6" ++ lib.optional cfgN.enableIPv6 "/proc/sys/net/ipv6"
++ lib.optionals useResolvConf ([ "/run/resolvconf" ] ++ config.networking.resolvconf.subscriberFiles); ++ lib.optionals useResolvConf ([ "/run/resolvconf" ] ++ config.networking.resolvconf.subscriberFiles);
@ -276,7 +277,7 @@ in
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
SystemCallFilter = [ SystemCallFilter = [
"@system-service" "@system-service"
"~@aio" "~@chown" "~@keyring" "~@memlock" "~@aio" "~@keyring" "~@memlock" "~@mount" "~@privileged" "~@resources"
]; ];
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
UMask = "0027"; UMask = "0027";