diff options
author | woojiq <yurii.shymon@gmail.com> | 2023-05-15 14:45:21 +0300 |
---|---|---|
committer | pennae <82953136+pennae@users.noreply.github.com> | 2023-05-15 15:28:34 +0200 |
commit | 2ee66a3000fd65bc76e83a62e57337a9dccdb7c2 (patch) | |
tree | 8ec125f555a6434d7de75a5e0f8e0250e95ccf2c /nixos/modules/services/hardware | |
parent | 5bb17df5521d88c472f83e34bb6976b02376f6aa (diff) | |
download | nixpkgs-2ee66a3000fd65bc76e83a62e57337a9dccdb7c2.tar nixpkgs-2ee66a3000fd65bc76e83a62e57337a9dccdb7c2.tar.gz nixpkgs-2ee66a3000fd65bc76e83a62e57337a9dccdb7c2.tar.bz2 nixpkgs-2ee66a3000fd65bc76e83a62e57337a9dccdb7c2.tar.lz nixpkgs-2ee66a3000fd65bc76e83a62e57337a9dccdb7c2.tar.xz nixpkgs-2ee66a3000fd65bc76e83a62e57337a9dccdb7c2.tar.zst nixpkgs-2ee66a3000fd65bc76e83a62e57337a9dccdb7c2.zip |
keyd: run systemd service as root user
Diffstat (limited to 'nixos/modules/services/hardware')
-rw-r--r-- | nixos/modules/services/hardware/keyd.nix | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/nixos/modules/services/hardware/keyd.nix b/nixos/modules/services/hardware/keyd.nix index 64c769405fa..d17b0e4303e 100644 --- a/nixos/modules/services/hardware/keyd.nix +++ b/nixos/modules/services/hardware/keyd.nix @@ -76,7 +76,9 @@ in ExecStart = "${pkgs.keyd}/bin/keyd"; Restart = "always"; - DynamicUser = true; + # TODO investigate why it doesn't work propeprly with DynamicUser + # See issue: https://github.com/NixOS/nixpkgs/issues/226346 + # DynamicUser = true; SupplementaryGroups = [ config.users.groups.input.name config.users.groups.uinput.name @@ -96,6 +98,7 @@ in ProtectHostname = true; PrivateUsers = true; PrivateMounts = true; + PrivateTmp = true; RestrictNamespaces = true; ProtectKernelLogs = true; ProtectKernelModules = true; @@ -104,7 +107,18 @@ in MemoryDenyWriteExecute = true; RestrictRealtime = true; LockPersonality = true; - ProtectProc = "noaccess"; + ProtectProc = "invisible"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "~@resources" + ]; + RestrictAddressFamilies = [ "AF_UNIX" ]; + RestrictSUIDSGID = true; + IPAddressDeny = [ "any" ]; + NoNewPrivileges = true; + ProtectSystem = "strict"; + ProcSubset = "pid"; UMask = "0077"; }; }; |