nixos/zigbee2mqtt: only add port to DeviceAllow if it is a path

zigbee2mqtt supports having non-device ports (e.g. `tcp://`); those
should not be set in DeviceAllow. No URI will start with `/`, so use
that as the filter that it is a “real” device that needs to be allowed.
This commit is contained in:
Andrew Marshall 2024-11-12 13:20:18 -05:00
parent dc460ec76c
commit 577e162073

View File

@ -76,9 +76,7 @@ in
# Hardening
CapabilityBoundingSet = "";
DeviceAllow = [
config.services.zigbee2mqtt.settings.serial.port
];
DeviceAllow = lib.optionals (lib.hasPrefix "/" cfg.settings.serial.port) [ cfg.settings.serial.port ];
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = false;