pleroma: fix (and partially strengthen) the sandboxing
This commit is contained in:
@@ -136,9 +136,10 @@ in
|
|||||||
# something inside pleroma invokes `sh` w/o specifying it by path, so this is needed to allow pleroma to start
|
# something inside pleroma invokes `sh` w/o specifying it by path, so this is needed to allow pleroma to start
|
||||||
pkgs.bash
|
pkgs.bash
|
||||||
# used by Pleroma to strip geo tags from uploads
|
# used by Pleroma to strip geo tags from uploads
|
||||||
config.sane.programs.exiftool.package
|
pkgs.exiftool
|
||||||
|
# config.sane.programs.exiftool.package #< XXX(2024-10-20): breaks image uploading
|
||||||
# i saw some errors when pleroma was shutting down about it not being able to find `awk`. probably not critical
|
# i saw some errors when pleroma was shutting down about it not being able to find `awk`. probably not critical
|
||||||
config.sane.programs.gawk.package
|
# config.sane.programs.gawk.package
|
||||||
# needed for email operations like password reset
|
# needed for email operations like password reset
|
||||||
pkgs.postfix
|
pkgs.postfix
|
||||||
];
|
];
|
||||||
@@ -153,7 +154,7 @@ in
|
|||||||
# possible that i've set something too strict and won't notice right away
|
# possible that i've set something too strict and won't notice right away
|
||||||
# make sure to test:
|
# make sure to test:
|
||||||
# - image/media uploading
|
# - image/media uploading
|
||||||
serviceConfig.CapabilityBoundingSet = "~CAP_SYS_ADMIN"; #< TODO: reduce this. try: CAP_SYS_NICE CAP_DAC_READ_SEARCH CAP_SYS_CHROOT CAP_SETGID CAP_SETUID
|
serviceConfig.CapabilityBoundingSet = lib.mkForce [ "" "" ]; # nixos default is `~CAP_SYS_ADMIN`
|
||||||
serviceConfig.LockPersonality = true;
|
serviceConfig.LockPersonality = true;
|
||||||
serviceConfig.NoNewPrivileges = true;
|
serviceConfig.NoNewPrivileges = true;
|
||||||
serviceConfig.MemoryDenyWriteExecute = true;
|
serviceConfig.MemoryDenyWriteExecute = true;
|
||||||
|
|||||||
Reference in New Issue
Block a user