diff options
author | Martin Weinelt <mweinelt@users.noreply.github.com> | 2021-07-22 20:00:00 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-07-22 20:00:00 +0200 |
commit | 70774da509e90a9b86d33403852346bc3bbbde56 (patch) | |
tree | 79114f254cf7078ddefe237127ac1352c7544f50 /nixos | |
parent | a68f3348b2c1b74bb13d7ad573fc4ca58835b230 (diff) | |
parent | ee26807e35e436cd0a29d32a58577a3c01f2e860 (diff) | |
download | nixpkgs-70774da509e90a9b86d33403852346bc3bbbde56.tar nixpkgs-70774da509e90a9b86d33403852346bc3bbbde56.tar.gz nixpkgs-70774da509e90a9b86d33403852346bc3bbbde56.tar.bz2 nixpkgs-70774da509e90a9b86d33403852346bc3bbbde56.tar.lz nixpkgs-70774da509e90a9b86d33403852346bc3bbbde56.tar.xz nixpkgs-70774da509e90a9b86d33403852346bc3bbbde56.tar.zst nixpkgs-70774da509e90a9b86d33403852346bc3bbbde56.zip |
Merge pull request #130853 from mweinelt/pppd
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/networking/pppd.nix | 26 |
1 files changed, 22 insertions, 4 deletions
diff --git a/nixos/modules/services/networking/pppd.nix b/nixos/modules/services/networking/pppd.nix index c1cbdb46176..37f44f07ac4 100644 --- a/nixos/modules/services/networking/pppd.nix +++ b/nixos/modules/services/networking/pppd.nix @@ -82,13 +82,21 @@ in LD_PRELOAD = "${pkgs.libredirect}/lib/libredirect.so"; NIX_REDIRECTS = "/var/run=/run/pppd"; }; - serviceConfig = { + serviceConfig = let + capabilities = [ + "CAP_BPF" + "CAP_SYS_TTY_CONFIG" + "CAP_NET_ADMIN" + "CAP_NET_RAW" + ]; + in + { ExecStart = "${getBin cfg.package}/sbin/pppd call ${peerCfg.name} nodetach nolog"; Restart = "always"; RestartSec = 5; - AmbientCapabilities = "CAP_SYS_TTY_CONFIG CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN"; - CapabilityBoundingSet = "CAP_SYS_TTY_CONFIG CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN"; + AmbientCapabilities = capabilities; + CapabilityBoundingSet = capabilities; KeyringMode = "private"; LockPersonality = true; MemoryDenyWriteExecute = true; @@ -103,7 +111,17 @@ in ProtectKernelTunables = false; ProtectSystem = "strict"; RemoveIPC = true; - RestrictAddressFamilies = "AF_PACKET AF_UNIX AF_PPPOX AF_ATMPVC AF_ATMSVC AF_INET AF_INET6 AF_IPX"; + RestrictAddressFamilies = [ + "AF_ATMPVC" + "AF_ATMSVC" + "AF_INET" + "AF_INET6" + "AF_IPX" + "AF_NETLINK" + "AF_PACKET" + "AF_PPPOX" + "AF_UNIX" + ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; |