mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-01-16 18:03:59 +00:00
24adc01e2e
Since v2021.5.0 home-assistant uses the ifaddr library in the zeroconf
component to enumerate network interfaces via netlink. Since discovery
is all over the place lets allow AF_NETLINK unconditionally.
It also relies on pyroute2 now, which additionally tries to access files
in /proc/net, so we relax ProtectProc a bit by default as well.
This leaves us with these options unsecured:
✗ PrivateNetwork= Service has access to the host's network 0.5
✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3
✗ DeviceAllow= Service has a device ACL with some special devices 0.1
✗ IPAddressDeny= Service does not define an IP address allow list 0.2
✗ PrivateDevices= Service potentially has access to hardware devices 0.2
✗ PrivateUsers= Service has access to other users 0.2
✗ SystemCallFilter=~@resources System call allow list defined for service, and @resources is included (e.g. ioprio_set is allowed) 0.2
✗ RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets 0.1
✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1
✗ SupplementaryGroups= Service runs with supplementary groups 0.1
✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1
✗ ProcSubset= Service has full access to non-process /proc files (/proc subset=) 0.1
→ Overall exposure level for home-assistant.service: 1.6 OK 🙂
|
||
|---|---|---|
| .. | ||
| taskserver | ||
| airsonic.nix | ||
| ankisyncd.nix | ||
| apache-kafka.nix | ||
| autofs.nix | ||
| autorandr.nix | ||
| bazarr.nix | ||
| beanstalkd.nix | ||
| bees.nix | ||
| bepasty.nix | ||
| calibre-server.nix | ||
| canto-daemon.nix | ||
| cfdyndns.nix | ||
| cgminer.nix | ||
| clipmenu.nix | ||
| confd.nix | ||
| couchpotato.nix | ||
| cpuminer-cryptonight.nix | ||
| devmon.nix | ||
| dictd.nix | ||
| disnix.nix | ||
| docker-registry.nix | ||
| domoticz.nix | ||
| duckling.nix | ||
| dwm-status.nix | ||
| dysnomia.nix | ||
| errbot.nix | ||
| etcd.nix | ||
| etebase-server.nix | ||
| etesync-dav.nix | ||
| ethminer.nix | ||
| exhibitor.nix | ||
| felix.nix | ||
| freeswitch.nix | ||
| fstrim.nix | ||
| gammu-smsd.nix | ||
| geoip-updater.nix | ||
| gitea.nix | ||
| gitit.nix | ||
| gitlab.nix | ||
| gitlab.xml | ||
| gitolite.nix | ||
| gitweb.nix | ||
| gogs.nix | ||
| gollum.nix | ||
| gpsd.nix | ||
| greenclip.nix | ||
| headphones.nix | ||
| home-assistant.nix | ||
| ihaskell.nix | ||
| irkerd.nix | ||
| jackett.nix | ||
| jellyfin.nix | ||
| klipper.nix | ||
| leaps.nix | ||
| lidarr.nix | ||
| lifecycled.nix | ||
| logkeys.nix | ||
| mame.nix | ||
| matrix-appservice-discord.nix | ||
| matrix-appservice-irc.nix | ||
| matrix-dendrite.nix | ||
| matrix-synapse-log_config.yaml | ||
| matrix-synapse.nix | ||
| matrix-synapse.xml | ||
| mautrix-telegram.nix | ||
| mbpfan.nix | ||
| mediatomb.nix | ||
| metabase.nix | ||
| mwlib.nix | ||
| n8n.nix | ||
| nix-daemon.nix | ||
| nix-gc.nix | ||
| nix-optimise.nix | ||
| nix-ssh-serve.nix | ||
| novacomd.nix | ||
| nzbget.nix | ||
| nzbhydra2.nix | ||
| octoprint.nix | ||
| ombi.nix | ||
| osrm.nix | ||
| packagekit.nix | ||
| paperless.nix | ||
| parsoid.nix | ||
| pinnwand.nix | ||
| plex.nix | ||
| plikd.nix | ||
| podgrab.nix | ||
| pykms.nix | ||
| radarr.nix | ||
| redmine.nix | ||
| ripple-data-api.nix | ||
| rippled.nix | ||
| safeeyes.nix | ||
| serviio.nix | ||
| sickbeard.nix | ||
| siproxd.nix | ||
| snapper.nix | ||
| sonarr.nix | ||
| spice-vdagentd.nix | ||
| ssm-agent.nix | ||
| sssd.nix | ||
| subsonic.nix | ||
| sundtek.nix | ||
| svnserve.nix | ||
| synergy.nix | ||
| sysprof.nix | ||
| tautulli.nix | ||
| tiddlywiki.nix | ||
| tzupdate.nix | ||
| uhub.nix | ||
| weechat.nix | ||
| weechat.xml | ||
| xmr-stak.nix | ||
| zigbee2mqtt.nix | ||
| zoneminder.nix | ||
| zookeeper.nix | ||