seatd: restrict capabilities

This commit is contained in:
2024-08-07 20:16:15 +00:00
parent 9b1e053ead
commit 49efb94a0a

View File

@@ -15,9 +15,10 @@ lib.mkMerge [
});
sandbox.method = "bwrap";
sandbox.capabilities = [
"sys_tty_config" "sys_admin"
"chown"
# "chown"
"dac_override" #< TODO: is there no way to get rid of this?
# "sys_admin"
"sys_tty_config"
];
sandbox.extraPaths = [
"/dev" #< TODO: this can be removed if i have seatd restart on client error such that seatd can discover devices as they appear
@@ -65,13 +66,15 @@ lib.mkMerge [
# "CAP_SYS_ADMIN"
# "CAP_SYS_TTY_CONFIG"
# ];
# serviceConfig.CapabilityBoundingSet = [
# # TODO: reduce!
# "CAP_CHOWN"
# "CAP_DAC_OVERRIDE"
# "CAP_SYS_ADMIN"
# "CAP_SYS_TTY_CONFIG"
# ];
serviceConfig.CapabilityBoundingSet = [
# TODO: these can probably be reduced if i switch to landlock for sandboxing,
# or run as a user other than root
# "CAP_CHOWN"
"CAP_DAC_OVERRIDE" #< needed, to access /dev/tty
"CAP_NET_ADMIN" #< needed by bwrap, for some reason??
"CAP_SYS_ADMIN" #< needed by bwrap
"CAP_SYS_TTY_CONFIG"
];
};
})
]