diff options
author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2021-06-24 00:06:31 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-06-24 00:06:31 +0000 |
commit | 1f528e6ac6ec8b96ca06c2bd82eb3c471f8861e2 (patch) | |
tree | 87c843ab388bce962d31ddc62346a75d1d46441b /nixos/modules/services/networking | |
parent | bcc720d9c5ddc6e2ac90370d0be694e3e60c1495 (diff) | |
parent | d437a6cac2086ead6232bc4d84c25c58a33c1b59 (diff) | |
download | nixpkgs-1f528e6ac6ec8b96ca06c2bd82eb3c471f8861e2.tar nixpkgs-1f528e6ac6ec8b96ca06c2bd82eb3c471f8861e2.tar.gz nixpkgs-1f528e6ac6ec8b96ca06c2bd82eb3c471f8861e2.tar.bz2 nixpkgs-1f528e6ac6ec8b96ca06c2bd82eb3c471f8861e2.tar.lz nixpkgs-1f528e6ac6ec8b96ca06c2bd82eb3c471f8861e2.tar.xz nixpkgs-1f528e6ac6ec8b96ca06c2bd82eb3c471f8861e2.tar.zst nixpkgs-1f528e6ac6ec8b96ca06c2bd82eb3c471f8861e2.zip |
Merge staging-next into staging
Diffstat (limited to 'nixos/modules/services/networking')
-rw-r--r-- | nixos/modules/services/networking/babeld.nix | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/nixos/modules/services/networking/babeld.nix b/nixos/modules/services/networking/babeld.nix index 5e14283179a..aae6f1498a4 100644 --- a/nixos/modules/services/networking/babeld.nix +++ b/nixos/modules/services/networking/babeld.nix @@ -104,6 +104,7 @@ in ExecStart = "${pkgs.babeld}/bin/babeld -c ${configFile} -I /run/babeld/babeld.pid -S /var/lib/babeld/state"; AmbientCapabilities = [ "CAP_NET_ADMIN" ]; CapabilityBoundingSet = [ "CAP_NET_ADMIN" ]; + DevicePolicy = "closed"; DynamicUser = true; IPAddressAllow = [ "fe80::/64" "ff00::/8" "::1/128" "127.0.0.0/8" ]; IPAddressDeny = "any"; @@ -123,12 +124,17 @@ in RemoveIPC = true; ProtectHome = true; ProtectHostname = true; + ProtectProc = "invisible"; PrivateMounts = true; PrivateTmp = true; PrivateDevices = true; PrivateUsers = false; # kernel_route(ADD): Operation not permitted + ProcSubset = "pid"; SystemCallArchitectures = "native"; - SystemCallFilter = [ "@system-service" ]; + SystemCallFilter = [ + "@system-service" + "~@privileged @resources" + ]; UMask = "0177"; RuntimeDirectory = "babeld"; StateDirectory = "babeld"; |