movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-09 19:13:26 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixos/netadata: update capabilities (#414823)

Browse source
This commit is contained in:
Maciej Krüger 2025-06-08 14:20:48 +02:00 committed by GitHub
commit fab1819a09
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 20 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

34
nixos/modules/services/monitoring/netdata.nix
View file

@ -367,19 +367,25 @@ in
# AmbientCapabilities # AmbientCapabilities
AmbientCapabilities = lib.optional isThereAnyWireGuardTunnels "CAP_NET_ADMIN"; AmbientCapabilities = lib.optional isThereAnyWireGuardTunnels "CAP_NET_ADMIN";
# Capabilities # Capabilities
CapabilityBoundingSet = [ CapabilityBoundingSet =
"CAP_DAC_OVERRIDE" # is required for freeipmi and slabinfo plugins [
"CAP_DAC_READ_SEARCH" # is required for apps and systemd-journal plugin "CAP_DAC_OVERRIDE" # is required for freeipmi and slabinfo plugins
"CAP_FOWNER" # is required for freeipmi plugin "CAP_DAC_READ_SEARCH" # is required for apps and systemd-journal plugin
"CAP_SETPCAP" # is required for apps, perf and slabinfo plugins "CAP_NET_RAW" # is required for fping app
"CAP_SYS_ADMIN" # is required for perf plugin "CAP_PERFMON" # is required for perf plugin
"CAP_SYS_PTRACE" # is required for apps plugin "CAP_SETPCAP" # is required for apps, perf and slabinfo plugins
"CAP_SYS_RESOURCE" # is required for ebpf plugin "CAP_SETUID" # is required for cgroups and cgroups-network plugins
"CAP_NET_RAW" # is required for fping app "CAP_SYSLOG" # is required for systemd-journal plugin
"CAP_SYS_CHROOT" # is required for cgroups plugin "CAP_SYS_ADMIN" # is required for perf plugin
"CAP_SETUID" # is required for cgroups and cgroups-network plugins "CAP_SYS_CHROOT" # is required for cgroups plugin
"CAP_SYSLOG" # is required for systemd-journal plugin "CAP_SYS_PTRACE" # is required for apps plugin
] ++ lib.optional isThereAnyWireGuardTunnels "CAP_NET_ADMIN"; "CAP_SYS_RESOURCE" # is required for ebpf plugin
]
++ lib.optionals cfg.package.withIpmi [
"CAP_FOWNER"
"CAP_SYS_RAWIO"
]
++ lib.optional isThereAnyWireGuardTunnels "CAP_NET_ADMIN";
# Sandboxing # Sandboxing
ProtectSystem = "full"; ProtectSystem = "full";
ProtectHome = "read-only"; ProtectHome = "read-only";
@ -464,7 +470,7 @@ in
// lib.optionalAttrs (cfg.package.withIpmi) { // lib.optionalAttrs (cfg.package.withIpmi) {
"freeipmi.plugin" = { "freeipmi.plugin" = {
source = "${cfg.package}/libexec/netdata/plugins.d/freeipmi.plugin.org"; source = "${cfg.package}/libexec/netdata/plugins.d/freeipmi.plugin.org";
capabilities = "cap_dac_override,cap_fowner+ep"; capabilities = "cap_dac_override,cap_fowner,cap_sys_rawio+ep";
owner = cfg.user; owner = cfg.user;
group = cfg.group; group = cfg.group;
permissions = "u+rx,g+x,o-rwx"; permissions = "u+rx,g+x,o-rwx";