nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-01-27 07:14:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

nixos-containers: Set DevicePolicy=closed

Browse Source 
This makes the container a bit more secure, by preventing root
creating device nodes to access the host file system, for
instance. (Reference: systemd-nspawn@.service in systemd.)
This commit is contained in:
Eelco Dolstra 2016-07-28 17:39:14 +02:00
parent bf3edfbb3c
commit fd5bbdb436
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nixos/modules/virtualisation/containers.nix
View File

@ -415,6 +415,8 @@ in
# after the timeout). So send an ignored signal.
KillMode = "mixed";
KillSignal = "WINCH";
DevicePolicy = "closed";
};
};
in {