diff options
| author | Joachim Fasting <joachifm@fastmail.fm> | 2017-03-08 00:42:20 +0100 |
|---|---|---|
| committer | Joachim Fasting <joachifm@fastmail.fm> | 2017-03-08 19:07:51 +0100 |
| commit | 5f27abec233604ebe543e4fc833f282a7c835b3f (patch) | |
| tree | d511781d53a7e5c19da039859eb2edcc8909fd0a /nixos | |
| parent | e72aaa73eacb15b82270fe702517be97d1beba37 (diff) | |
| download | nixlib-5f27abec233604ebe543e4fc833f282a7c835b3f.tar nixlib-5f27abec233604ebe543e4fc833f282a7c835b3f.tar.gz nixlib-5f27abec233604ebe543e4fc833f282a7c835b3f.tar.bz2 nixlib-5f27abec233604ebe543e4fc833f282a7c835b3f.tar.lz nixlib-5f27abec233604ebe543e4fc833f282a7c835b3f.tar.xz nixlib-5f27abec233604ebe543e4fc833f282a7c835b3f.tar.zst nixlib-5f27abec233604ebe543e4fc833f282a7c835b3f.zip | |
nixos/dnscrypt-proxy: more fs isolation for the updater
It'd be better to do the update as an unprivileged user; for now, we do our best to minimize the surface available. We filter mount syscalls to prevent the process from undoing the fs isolation.
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/networking/dnscrypt-proxy.nix | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/nixos/modules/services/networking/dnscrypt-proxy.nix b/nixos/modules/services/networking/dnscrypt-proxy.nix index 636caf25a552..ad1559e21df7 100644 --- a/nixos/modules/services/networking/dnscrypt-proxy.nix +++ b/nixos/modules/services/networking/dnscrypt-proxy.nix @@ -285,7 +285,9 @@ in PrivateTmp = true; PrivateDevices = true; ProtectHome = true; - ProtectSystem = true; + ProtectSystem = "strict"; + ReadWritePaths = "${dirOf stateDirectory} ${stateDirectory}"; + SystemCallFilter = "~@mount"; }; }; |