seatd: restrict capabilities
This commit is contained in:
@@ -15,9 +15,10 @@ lib.mkMerge [
|
||||
});
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.capabilities = [
|
||||
"sys_tty_config" "sys_admin"
|
||||
"chown"
|
||||
# "chown"
|
||||
"dac_override" #< TODO: is there no way to get rid of this?
|
||||
# "sys_admin"
|
||||
"sys_tty_config"
|
||||
];
|
||||
sandbox.extraPaths = [
|
||||
"/dev" #< TODO: this can be removed if i have seatd restart on client error such that seatd can discover devices as they appear
|
||||
@@ -65,13 +66,15 @@ lib.mkMerge [
|
||||
# "CAP_SYS_ADMIN"
|
||||
# "CAP_SYS_TTY_CONFIG"
|
||||
# ];
|
||||
# serviceConfig.CapabilityBoundingSet = [
|
||||
# # TODO: reduce!
|
||||
# "CAP_CHOWN"
|
||||
# "CAP_DAC_OVERRIDE"
|
||||
# "CAP_SYS_ADMIN"
|
||||
# "CAP_SYS_TTY_CONFIG"
|
||||
# ];
|
||||
serviceConfig.CapabilityBoundingSet = [
|
||||
# TODO: these can probably be reduced if i switch to landlock for sandboxing,
|
||||
# or run as a user other than root
|
||||
# "CAP_CHOWN"
|
||||
"CAP_DAC_OVERRIDE" #< needed, to access /dev/tty
|
||||
"CAP_NET_ADMIN" #< needed by bwrap, for some reason??
|
||||
"CAP_SYS_ADMIN" #< needed by bwrap
|
||||
"CAP_SYS_TTY_CONFIG"
|
||||
];
|
||||
};
|
||||
})
|
||||
]
|
||||
|
Reference in New Issue
Block a user