summary refs log tree commit diff
path: root/nixos
diff options
context:
space:
mode:
authorMartin Weinelt <mweinelt@users.noreply.github.com>2021-07-22 20:00:00 +0200
committerGitHub <noreply@github.com>2021-07-22 20:00:00 +0200
commit70774da509e90a9b86d33403852346bc3bbbde56 (patch)
tree79114f254cf7078ddefe237127ac1352c7544f50 /nixos
parenta68f3348b2c1b74bb13d7ad573fc4ca58835b230 (diff)
parentee26807e35e436cd0a29d32a58577a3c01f2e860 (diff)
downloadnixpkgs-70774da509e90a9b86d33403852346bc3bbbde56.tar
nixpkgs-70774da509e90a9b86d33403852346bc3bbbde56.tar.gz
nixpkgs-70774da509e90a9b86d33403852346bc3bbbde56.tar.bz2
nixpkgs-70774da509e90a9b86d33403852346bc3bbbde56.tar.lz
nixpkgs-70774da509e90a9b86d33403852346bc3bbbde56.tar.xz
nixpkgs-70774da509e90a9b86d33403852346bc3bbbde56.tar.zst
nixpkgs-70774da509e90a9b86d33403852346bc3bbbde56.zip
Merge pull request #130853 from mweinelt/pppd
Diffstat (limited to 'nixos')
-rw-r--r--nixos/modules/services/networking/pppd.nix26


1 files changed, 22 insertions, 4 deletions
diff --git a/nixos/modules/services/networking/pppd.nix b/nixos/modules/services/networking/pppd.nix
index c1cbdb46176..37f44f07ac4 100644
--- a/nixos/modules/services/networking/pppd.nix
+++ b/nixos/modules/services/networking/pppd.nix
@@ -82,13 +82,21 @@ in
           LD_PRELOAD = "${pkgs.libredirect}/lib/libredirect.so";
           NIX_REDIRECTS = "/var/run=/run/pppd";
         };
-        serviceConfig = {
+        serviceConfig = let
+          capabilities = [
+            "CAP_BPF"
+            "CAP_SYS_TTY_CONFIG"
+            "CAP_NET_ADMIN"
+            "CAP_NET_RAW"
+          ];
+        in
+        {
           ExecStart = "${getBin cfg.package}/sbin/pppd call ${peerCfg.name} nodetach nolog";
           Restart = "always";
           RestartSec = 5;
 
-          AmbientCapabilities = "CAP_SYS_TTY_CONFIG CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN";
-          CapabilityBoundingSet = "CAP_SYS_TTY_CONFIG CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN";
+          AmbientCapabilities = capabilities;
+          CapabilityBoundingSet = capabilities;
           KeyringMode = "private";
           LockPersonality = true;
           MemoryDenyWriteExecute = true;
@@ -103,7 +111,17 @@ in
           ProtectKernelTunables = false;
           ProtectSystem = "strict";
           RemoveIPC = true;
-          RestrictAddressFamilies = "AF_PACKET AF_UNIX AF_PPPOX AF_ATMPVC AF_ATMSVC AF_INET AF_INET6 AF_IPX";
+          RestrictAddressFamilies = [
+            "AF_ATMPVC"
+            "AF_ATMSVC"
+            "AF_INET"
+            "AF_INET6"
+            "AF_IPX"
+            "AF_NETLINK"
+            "AF_PACKET"
+            "AF_PPPOX"
+            "AF_UNIX"
+          ];
           RestrictNamespaces = true;
           RestrictRealtime = true;
           RestrictSUIDSGID = true;

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-04-28 21:08:58 +0000