pleroma: fix (and partially strengthen) the sandboxing

2024-10-21 10:17:28 +00:00
parent d17f436250
commit 98c64a5940
1 changed files with 4 additions and 3 deletions
--- a/hosts/by-name/servo/services/pleroma.nix
+++ b/hosts/by-name/servo/services/pleroma.nix
@@ -136,9 +136,10 @@ in
    # something inside pleroma invokes `sh` w/o specifying it by path, so this is needed to allow pleroma to start
    pkgs.bash
    # used by Pleroma to strip geo tags from uploads
-    config.sane.programs.exiftool.package
+    pkgs.exiftool
+    # config.sane.programs.exiftool.package  #< XXX(2024-10-20): breaks image uploading
    # i saw some errors when pleroma was shutting down about it not being able to find `awk`. probably not critical
-    config.sane.programs.gawk.package
+    # config.sane.programs.gawk.package
    # needed for email operations like password reset
    pkgs.postfix
  ];
@@ -153,7 +154,7 @@ in
    # possible that i've set something too strict and won't notice right away
    # make sure to test:
    # - image/media uploading
-    serviceConfig.CapabilityBoundingSet = "~CAP_SYS_ADMIN";  #< TODO: reduce this. try: CAP_SYS_NICE CAP_DAC_READ_SEARCH CAP_SYS_CHROOT CAP_SETGID CAP_SETUID
+    serviceConfig.CapabilityBoundingSet = lib.mkForce [ "" "" ];  # nixos default is `~CAP_SYS_ADMIN`
    serviceConfig.LockPersonality = true;
    serviceConfig.NoNewPrivileges = true;
    serviceConfig.MemoryDenyWriteExecute = true;