diff options
author | Jason Yundt <jason@jasonyundt.email> | 2022-09-08 17:58:10 -0400 |
---|---|---|
committer | Bjørn Forsman <bjorn.forsman@gmail.com> | 2022-09-11 16:36:58 +0200 |
commit | 17352e8995e1409636b0817a7f38d6314ccd73c4 (patch) | |
tree | b98c5376ab1b8d6774a67e6da1fe3abc285484ce /nixos | |
parent | 4886df0aea37cdac9139aee6cf291139c7f0e9b2 (diff) | |
download | nixlib-17352e8995e1409636b0817a7f38d6314ccd73c4.tar nixlib-17352e8995e1409636b0817a7f38d6314ccd73c4.tar.gz nixlib-17352e8995e1409636b0817a7f38d6314ccd73c4.tar.bz2 nixlib-17352e8995e1409636b0817a7f38d6314ccd73c4.tar.lz nixlib-17352e8995e1409636b0817a7f38d6314ccd73c4.tar.xz nixlib-17352e8995e1409636b0817a7f38d6314ccd73c4.tar.zst nixlib-17352e8995e1409636b0817a7f38d6314ccd73c4.zip |
nixos/security/wrappers: clarify required format for capabilities
Before this change, the description for security.wrappers.<name>.capabilities made it seem like you could just string together the names of capabilities like this: capabilities = "CAP_SETUID,CAP_SETGID"; In reality, each item in the list must be a full-on capability clause: capabilities = "CAP_SETUID=ep,CAP_SETGID+i";
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/security/wrappers/default.nix | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index 45aee7c97339..a58c792d8c5f 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -52,10 +52,11 @@ let { type = lib.types.commas; default = ""; description = lib.mdDoc '' - A comma-separated list of capabilities to be given to the wrapper - program. For capabilities supported by the system check the - {manpage}`capabilities(7)` - manual page. + A comma-separated list of capability clauses to be given to the + wrapper program. The format for capability clauses is described in the + “TEXTUAL REPRESENTATION” section of the {manpage}`cap_from_text(3)` + manual page. For a list of capabilities supported by the system, check + the {manpage}`capabilities(7)` manual page. ::: {.note} `cap_setpcap`, which is required for the wrapper |