colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

seatd: restrict capabilities

Browse Source
This commit is contained in:
Colin
2024-08-07 20:16:15 +00:00
parent 9b1e053ead
commit 49efb94a0a
1 changed files with 12 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
hosts/common/programs/seatd.nix
View File

@@ -15,9 +15,10 @@ lib.mkMerge [
}); });
sandbox.method = "bwrap"; sandbox.method = "bwrap";
sandbox.capabilities = [ sandbox.capabilities = [
"sys_tty_config" "sys_admin" # "chown"
"chown"
"dac_override" #< TODO: is there no way to get rid of this? "dac_override" #< TODO: is there no way to get rid of this?
# "sys_admin"
"sys_tty_config"
]; ];
sandbox.extraPaths = [ sandbox.extraPaths = [
"/dev" #< TODO: this can be removed if i have seatd restart on client error such that seatd can discover devices as they appear "/dev" #< TODO: this can be removed if i have seatd restart on client error such that seatd can discover devices as they appear
@@ -65,13 +66,15 @@ lib.mkMerge [
# "CAP_SYS_ADMIN" # "CAP_SYS_ADMIN"
# "CAP_SYS_TTY_CONFIG" # "CAP_SYS_TTY_CONFIG"
# ]; # ];
# serviceConfig.CapabilityBoundingSet = [ serviceConfig.CapabilityBoundingSet = [
# # TODO: reduce! # TODO: these can probably be reduced if i switch to landlock for sandboxing,
# "CAP_CHOWN" # or run as a user other than root
# "CAP_DAC_OVERRIDE" # "CAP_CHOWN"
# "CAP_SYS_ADMIN" "CAP_DAC_OVERRIDE" #< needed, to access /dev/tty
# "CAP_SYS_TTY_CONFIG" "CAP_NET_ADMIN" #< needed by bwrap, for some reason??
# ]; "CAP_SYS_ADMIN" #< needed by bwrap
"CAP_SYS_TTY_CONFIG"
];
}; };
}) })
] ]