nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-25 16:33:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

treewide: Remove ineffective capability grants. (#333533)

Browse Source
This commit is contained in:
Franz Pletz 2024-11-06 08:12:51 +01:00 committed by GitHub
commit 0fc41ad977
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
12 changed files with 2 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
nixos/modules/services/misc/mollysocket.nix
View File

@ -1,7 +1,7 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) getExe mkIf mkOption mkEnableOption optionals types;
inherit (lib) getExe mkIf mkOption mkEnableOption types;
cfg = config.services.mollysocket;
configuration = format.generate "mollysocket.conf" cfg.settings;
@ -85,9 +85,7 @@ in {
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
environment.RUST_LOG = cfg.logLevel;
serviceConfig = let
capabilities = [ "" ] ++ optionals (cfg.settings.port < 1024) [ "CAP_NET_BIND_SERVICE" ];
in {
serviceConfig = {
EnvironmentFile = cfg.environmentFile;
ExecStart = "${getExe package} server";
KillSignal = "SIGINT";
@ -97,8 +95,6 @@ in {
WorkingDirectory = "/var/lib/mollysocket";
# hardening
AmbientCapabilities = capabilities;
CapabilityBoundingSet = capabilities;
DevicePolicy = "closed";
DynamicUser = true;
LockPersonality = true;

3
nixos/modules/services/misc/paperless.nix
View File

@ -372,9 +372,6 @@ in
SystemCallFilter = defaultServiceConfig.SystemCallFilter ++ [ "@setuid mbind" ];
# Needs to serve web page
PrivateNetwork = false;
} // lib.optionalAttrs (cfg.port < 1024) {
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
};
environment = env // {
PYTHONPATH = "${cfg.package.python.pkgs.makePythonPath cfg.package.propagatedBuildInputs}:${cfg.package}/lib/paperless-ngx/src";

3
nixos/modules/services/misc/tandoor-recipes.nix
View File

@ -119,9 +119,6 @@ in
# gunicorn needs setuid
SystemCallFilter = [ "@system-service" "~@privileged" "@resources" "@setuid" "@keyring" ];
UMask = "0066";
} // lib.optionalAttrs (cfg.port < 1024) {
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
};
wantedBy = [ "multi-user.target" ];

1
nixos/modules/services/misc/transfer-sh.nix
View File

@ -69,7 +69,6 @@ in
wantedBy = [ "multi-user.target" ];
environment = mapAttrs (_: v: if isBool v then boolToString v else toString v) cfg.settings;
serviceConfig = {
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
DevicePolicy = "closed";
DynamicUser = true;
ExecStart = "${getExe cfg.package} --provider ${cfg.provider}";

1
nixos/modules/services/misc/wastebin.nix
View File

@ -126,7 +126,6 @@ in
wantedBy = [ "multi-user.target" ];
environment = mapAttrs (_: v: if isBool v then boolToString v else toString v) cfg.settings;
serviceConfig = {
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
DevicePolicy = "closed";
DynamicUser = true;
ExecStart = "${getExe cfg.package}";

2
nixos/modules/services/monitoring/prometheus/default.nix
View File

@ -1834,8 +1834,6 @@ in
StateDirectory = cfg.stateDir;
StateDirectoryMode = "0700";
# Hardening
AmbientCapabilities = lib.mkIf (cfg.port < 1024) [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = if (cfg.port < 1024) then [ "CAP_NET_BIND_SERVICE" ] else [ "" ];
DeviceAllow = [ "/dev/null rw" ];
DevicePolicy = "strict";
LockPersonality = true;

2
nixos/modules/services/web-apps/dex.nix
View File

@ -80,7 +80,6 @@ in
];
RuntimeDirectory = "dex";
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
BindReadOnlyPaths = [
"/nix/store"
"-/etc/dex"
@ -91,7 +90,6 @@ in
"-/etc/ssl/certs/ca-certificates.crt"
];
BindPaths = optional (cfg.settings.storage.type == "postgres") "/var/run/postgresql";
CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
# ProtectClock= adds DeviceAllow=char-rtc r
DeviceAllow = "";
DynamicUser = true;

1
nixos/modules/services/web-apps/freshrss.nix
View File

@ -164,7 +164,6 @@ in
let
defaultServiceConfig = {
ReadWritePaths = "${cfg.dataDir}";
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
DeviceAllow = "";
LockPersonality = true;
NoNewPrivileges = true;

1
nixos/modules/services/web-apps/microbin.nix
View File

@ -61,7 +61,6 @@ in
wantedBy = [ "multi-user.target" ];
environment = lib.mapAttrs (_: v: if lib.isBool v then lib.boolToString v else toString v) cfg.settings;
serviceConfig = {
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
DevicePolicy = "closed";
DynamicUser = true;
EnvironmentFile = lib.optional (cfg.passwordFile != null) cfg.passwordFile;

4
nixos/modules/services/web-apps/photoprism.nix
View File

@ -109,7 +109,6 @@ in
LoadCredential = lib.optionalString (cfg.passwordFile != null)
"PHOTOPRISM_ADMIN_PASSWORD:${cfg.passwordFile}";
CapabilityBoundingSet = "";
LockPersonality = true;
PrivateDevices = true;
PrivateUsers = true;
@ -126,9 +125,6 @@ in
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@setuid @keyring" ];
UMask = "0066";
} // lib.optionalAttrs (cfg.port < 1024) {
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
};
wantedBy = [ "multi-user.target" ];

2
nixos/modules/services/web-apps/powerdns-admin.nix
View File

@ -87,7 +87,6 @@ in
User = "powerdnsadmin";
Group = "powerdnsadmin";
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
BindReadOnlyPaths = [
"/nix/store"
"-/etc/resolv.conf"
@ -97,7 +96,6 @@ in
]
++ (optional (cfg.secretKeyFile != null) cfg.secretKeyFile)
++ (optional (cfg.saltFile != null) cfg.saltFile);
CapabilityBoundingSet = "CAP_NET_BIND_SERVICE";
# ProtectClock= adds DeviceAllow=char-rtc r
DeviceAllow = "";
# Implies ProtectSystem=strict, which re-mounts all paths

1
nixos/modules/services/web-apps/shiori.nix
View File

@ -90,7 +90,6 @@ in {
"/var/run/mysqld";
CapabilityBoundingSet = "";
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
DeviceAllow = "";