mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-22 13:41:26 +00:00
nixos/pppd: replace CAP_SYS_ADMIN with CAP_BPF
The kernel before version 5.7 required CAP_SYS_ADMIN to conduct BPF operations. After that a separate capability CAP_BPF was created, which should be sufficient in this scenario and will further tighten the sandbox around our pppd service. Tested on my personal DSL line.
This commit is contained in:
parent
b37087603e
commit
8abcc6ba09
|
@ -82,13 +82,21 @@ in
|
|||
LD_PRELOAD = "${pkgs.libredirect}/lib/libredirect.so";
|
||||
NIX_REDIRECTS = "/var/run=/run/pppd";
|
||||
};
|
||||
serviceConfig = {
|
||||
serviceConfig = let
|
||||
capabilities = [
|
||||
"CAP_BPF"
|
||||
"CAP_SYS_TTY_CONFIG"
|
||||
"CAP_NET_ADMIN"
|
||||
"CAP_NET_RAW"
|
||||
];
|
||||
in
|
||||
{
|
||||
ExecStart = "${getBin cfg.package}/sbin/pppd call ${peerCfg.name} nodetach nolog";
|
||||
Restart = "always";
|
||||
RestartSec = 5;
|
||||
|
||||
AmbientCapabilities = "CAP_SYS_TTY_CONFIG CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN";
|
||||
CapabilityBoundingSet = "CAP_SYS_TTY_CONFIG CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN";
|
||||
AmbientCapabilities = capabilities;
|
||||
CapabilityBoundingSet = capabilities;
|
||||
KeyringMode = "private";
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
|
|
Loading…
Reference in a new issue