nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-02-02 10:14:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

nixos/logrotate: relax hardening

Browse Source 
The previous hardening change restricted the unit too much, breaking
legitimate functionality of logrotate.

Unfortunately this was not covered by our NixOS test.
This commit is contained in:
Martin Weinelt 2024-09-29 12:29:19 +02:00
parent 325a2b4871
commit d3e0a89ca6
No known key found for this signature in database
GPG Key ID: 87C1E9888F856759
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
nixos/modules/services/logging/logrotate.nix
View File

@ -260,6 +260,8 @@ in
# hardening
CapabilityBoundingSet = [
"CAP_CHOWN"
"CAP_DAC_OVERRIDE"
"CAP_SETUID"
"CAP_SETGID"
];
DevicePolicy = "closed";
@ -280,16 +282,16 @@ in
ProtectSystem = "full";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RestrictSUIDSGID = false; # can create sgid directories
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"@system-service @setuid"
"~@privileged @resources"
"@chown"
];
UMask = "0027";
} // lib.optionalAttrs (!cfg.allowNetworking) {
PrivateNetwork = true;
PrivateNetwork = true; # e.g. mail delivery
RestrictAddressFamilies = "none";
};
};