diff options
author | Martin Weinelt <hexa@darmstadt.ccc.de> | 2021-07-21 15:08:44 +0200 |
---|---|---|
committer | Martin Weinelt <hexa@darmstadt.ccc.de> | 2021-07-21 15:20:47 +0200 |
commit | 8abcc6ba09d0a8978f901fecf66fe8072de02ab9 (patch) | |
tree | cc21daaba9f421b78d6c76c58492ce512b75ce93 /nixos/modules/services/networking/pppd.nix | |
parent | b37087603eac209e139260c72e1c8970974308e3 (diff) | |
download | nixpkgs-8abcc6ba09d0a8978f901fecf66fe8072de02ab9.tar nixpkgs-8abcc6ba09d0a8978f901fecf66fe8072de02ab9.tar.gz nixpkgs-8abcc6ba09d0a8978f901fecf66fe8072de02ab9.tar.bz2 nixpkgs-8abcc6ba09d0a8978f901fecf66fe8072de02ab9.tar.lz nixpkgs-8abcc6ba09d0a8978f901fecf66fe8072de02ab9.tar.xz nixpkgs-8abcc6ba09d0a8978f901fecf66fe8072de02ab9.tar.zst nixpkgs-8abcc6ba09d0a8978f901fecf66fe8072de02ab9.zip |
nixos/pppd: replace CAP_SYS_ADMIN with CAP_BPF
The kernel before version 5.7 required CAP_SYS_ADMIN to conduct BPF operations. After that a separate capability CAP_BPF was created, which should be sufficient in this scenario and will further tighten the sandbox around our pppd service. Tested on my personal DSL line.
Diffstat (limited to 'nixos/modules/services/networking/pppd.nix')
-rw-r--r-- | nixos/modules/services/networking/pppd.nix | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/nixos/modules/services/networking/pppd.nix b/nixos/modules/services/networking/pppd.nix index c1cbdb46176..45c841dbea8 100644 --- a/nixos/modules/services/networking/pppd.nix +++ b/nixos/modules/services/networking/pppd.nix @@ -82,13 +82,21 @@ in LD_PRELOAD = "${pkgs.libredirect}/lib/libredirect.so"; NIX_REDIRECTS = "/var/run=/run/pppd"; }; - serviceConfig = { + serviceConfig = let + capabilities = [ + "CAP_BPF" + "CAP_SYS_TTY_CONFIG" + "CAP_NET_ADMIN" + "CAP_NET_RAW" + ]; + in + { ExecStart = "${getBin cfg.package}/sbin/pppd call ${peerCfg.name} nodetach nolog"; Restart = "always"; RestartSec = 5; - AmbientCapabilities = "CAP_SYS_TTY_CONFIG CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN"; - CapabilityBoundingSet = "CAP_SYS_TTY_CONFIG CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN"; + AmbientCapabilities = capabilities; + CapabilityBoundingSet = capabilities; KeyringMode = "private"; LockPersonality = true; MemoryDenyWriteExecute = true; |