summary refs log tree commit diff
path: root/nixos/modules
diff options
context:
space:
mode:
authorgithub-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>2021-06-24 00:06:27 +0000
committerGitHub <noreply@github.com>2021-06-24 00:06:27 +0000
commitd437a6cac2086ead6232bc4d84c25c58a33c1b59 (patch)
tree4831dd7d87ea3c3bf24bda66e1d739bc248f6717 /nixos/modules
parentb68a0d2f5e90ebc827148e2827765376029fde95 (diff)
parent65db0350fe3962c41b8604046ec9166976f80793 (diff)
downloadnixpkgs-d437a6cac2086ead6232bc4d84c25c58a33c1b59.tar
nixpkgs-d437a6cac2086ead6232bc4d84c25c58a33c1b59.tar.gz
nixpkgs-d437a6cac2086ead6232bc4d84c25c58a33c1b59.tar.bz2
nixpkgs-d437a6cac2086ead6232bc4d84c25c58a33c1b59.tar.lz
nixpkgs-d437a6cac2086ead6232bc4d84c25c58a33c1b59.tar.xz
nixpkgs-d437a6cac2086ead6232bc4d84c25c58a33c1b59.tar.zst
nixpkgs-d437a6cac2086ead6232bc4d84c25c58a33c1b59.zip
Merge master into staging-next
Diffstat (limited to 'nixos/modules')
-rw-r--r--nixos/modules/services/networking/babeld.nix8


1 files changed, 7 insertions, 1 deletions
diff --git a/nixos/modules/services/networking/babeld.nix b/nixos/modules/services/networking/babeld.nix
index 5e14283179a..aae6f1498a4 100644
--- a/nixos/modules/services/networking/babeld.nix
+++ b/nixos/modules/services/networking/babeld.nix
@@ -104,6 +104,7 @@ in
         ExecStart = "${pkgs.babeld}/bin/babeld -c ${configFile} -I /run/babeld/babeld.pid -S /var/lib/babeld/state";
         AmbientCapabilities = [ "CAP_NET_ADMIN" ];
         CapabilityBoundingSet = [ "CAP_NET_ADMIN" ];
+        DevicePolicy = "closed";
         DynamicUser = true;
         IPAddressAllow = [ "fe80::/64" "ff00::/8" "::1/128" "127.0.0.0/8" ];
         IPAddressDeny = "any";
@@ -123,12 +124,17 @@ in
         RemoveIPC = true;
         ProtectHome = true;
         ProtectHostname = true;
+        ProtectProc = "invisible";
         PrivateMounts = true;
         PrivateTmp = true;
         PrivateDevices = true;
         PrivateUsers = false; # kernel_route(ADD): Operation not permitted
+        ProcSubset = "pid";
         SystemCallArchitectures = "native";
-        SystemCallFilter = [ "@system-service" ];
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged @resources"
+        ];
         UMask = "0177";
         RuntimeDirectory = "babeld";
         StateDirectory = "babeld";

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-05 14:50:03 +0000