1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-22 13:41:26 +00:00

nixos/pppd: replace CAP_SYS_ADMIN with CAP_BPF

The kernel before version 5.7 required CAP_SYS_ADMIN to conduct BPF
operations. After that a separate capability CAP_BPF was created, which
should be sufficient in this scenario and will further tighten the
sandbox around our pppd service.

Tested on my personal DSL line.
This commit is contained in:
Martin Weinelt 2021-07-21 15:08:44 +02:00
parent b37087603e
commit 8abcc6ba09
No known key found for this signature in database
GPG key ID: 87C1E9888F856759

View file

@ -82,13 +82,21 @@ in
LD_PRELOAD = "${pkgs.libredirect}/lib/libredirect.so";
NIX_REDIRECTS = "/var/run=/run/pppd";
};
serviceConfig = {
serviceConfig = let
capabilities = [
"CAP_BPF"
"CAP_SYS_TTY_CONFIG"
"CAP_NET_ADMIN"
"CAP_NET_RAW"
];
in
{
ExecStart = "${getBin cfg.package}/sbin/pppd call ${peerCfg.name} nodetach nolog";
Restart = "always";
RestartSec = 5;
AmbientCapabilities = "CAP_SYS_TTY_CONFIG CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN";
CapabilityBoundingSet = "CAP_SYS_TTY_CONFIG CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN";
AmbientCapabilities = capabilities;
CapabilityBoundingSet = capabilities;
KeyringMode = "private";
LockPersonality = true;
MemoryDenyWriteExecute = true;