colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

sanebox: fix landlock sandboxing IAB edgecases

Browse Source 
i don't fully understand it. but adjusting the Inh capability set breaks things like gocryptfs. i think it isn't necessary: if we set E alone, and no-new-privs, then that gets us the same guarantees.
This commit is contained in:
Colin
2024-08-05 22:54:20 +00:00
parent 722fe8f368
commit 5eca45891b
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
pkgs/additional/sanebox/sanebox
View File

@@ -870,7 +870,7 @@ capshonlyIngestCapability() {
# therefore, only grant it those capabilities i know will succeed. # therefore, only grant it those capabilities i know will succeed.
if capsh "--has-p=cap_$1" 2>/dev/null; then if capsh "--has-p=cap_$1" 2>/dev/null; then
if [ -z "$capshCapsArg" ]; then if [ -z "$capshCapsArg" ]; then
capshCapsArg=cap_$1=eip capshCapsArg=cap_$1=ep
else else
capshCapsArg=cap_$1,$capshCapsArg capshCapsArg=cap_$1,$capshCapsArg
fi fi