colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/matrix-synapse: allow synapse to write to directories of unix socket paths

Browse Source 
this patch takes the path of all unix socket listeners and appends their
respective parent directories to the ReadWritePaths allow list for the
matrix-synapse systemd service.

previously configuring a unix socket in a directory not writable by
synapse would fail.
This commit is contained in:
networkException 2024-03-01 02:34:06 +01:00
parent 2f2208aca6
commit 10fc05bfc1
No known key found for this signature in database
GPG Key ID: E3877443AE684391
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
nixos/modules/services/matrix/synapse.nix
View File

@ -1232,7 +1232,8 @@ in {
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
ReadWritePaths = [ cfg.dataDir cfg.settings.media_store_path ];
ReadWritePaths = [ cfg.dataDir cfg.settings.media_store_path ] ++
(map (listener: dirOf listener.path) (filter (listener: listener.path != null) cfg.settings.listeners));
RemoveIPC = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
RestrictNamespaces = true;