colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

modules/programs: sane-sandboxed: invoke "capsh" with the --no-new-privs argument

Browse Source
This commit is contained in:
Colin 2024-02-16 05:48:50 +00:00
parent 00e4078300
commit 029ba43bd6
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
modules/programs/sane-sandboxed
View File

@ -422,7 +422,7 @@ landlockExec() {
_capsh="$(locate capsh @libcap@/bin/capsh)"
LL_FS_RO= LL_FS_RW="$landlockPaths" exec \
"$_sandboxer" \
"$_capsh" "--caps=$capshCapsArg" --shell="/usr/bin/env" -- "${extraEnv[@]}" "${cliArgs[@]}"
"$_capsh" "--caps=$capshCapsArg" --no-new-privs --shell="/usr/bin/env" -- "${extraEnv[@]}" "${cliArgs[@]}"
}
@ -461,7 +461,7 @@ capshonlyIngestCapability() {
capshonlyExec() {
_capsh="$(locate capsh @libcap@/bin/capsh)"
exec \
"$_capsh" "--caps=$capshCapsArg" --shell="/usr/bin/env" -- "${extraEnv[@]}" "${cliArgs[@]}"
"$_capsh" "--caps=$capshCapsArg" --no-new-privs --shell="/usr/bin/env" -- "${extraEnv[@]}" "${cliArgs[@]}"
}