diff options
author | Martin Weinelt <mweinelt@users.noreply.github.com> | 2022-11-25 01:34:53 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-11-25 01:34:53 +0100 |
commit | a4e5468bc03cc169ac0d2fad5186c02747ea8e55 (patch) | |
tree | b22128532f9ef56da277356167eea855752d3db1 /nixos | |
parent | 51e70a70df443c1133d55faa01d28f4b83f46bd3 (diff) | |
parent | d02af66091e3233af01a2d6184ca5b47f7d7e726 (diff) | |
download | nixlib-a4e5468bc03cc169ac0d2fad5186c02747ea8e55.tar nixlib-a4e5468bc03cc169ac0d2fad5186c02747ea8e55.tar.gz nixlib-a4e5468bc03cc169ac0d2fad5186c02747ea8e55.tar.bz2 nixlib-a4e5468bc03cc169ac0d2fad5186c02747ea8e55.tar.lz nixlib-a4e5468bc03cc169ac0d2fad5186c02747ea8e55.tar.xz nixlib-a4e5468bc03cc169ac0d2fad5186c02747ea8e55.tar.zst nixlib-a4e5468bc03cc169ac0d2fad5186c02747ea8e55.zip |
Merge pull request #202187 from hmenke/alps
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/web-apps/alps.nix | 10 | ||||
-rw-r--r-- | nixos/tests/alps.nix | 3 |
2 files changed, 8 insertions, 5 deletions
diff --git a/nixos/modules/services/web-apps/alps.nix b/nixos/modules/services/web-apps/alps.nix index 4681739af4ab..1a58df2da1d2 100644 --- a/nixos/modules/services/web-apps/alps.nix +++ b/nixos/modules/services/web-apps/alps.nix @@ -98,11 +98,11 @@ in { serviceConfig = { ExecStart = "${cfg.package}/bin/alps ${escapeShellArgs cfg.args}"; + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; DynamicUser = true; - ## This is desirable but would restrict bindIP to 127.0.0.1 - #IPAddressAllow = "localhost"; - #IPAddressDeny = "any"; LockPersonality = true; + MemoryDenyWriteExecute = true; NoNewPrivileges = true; PrivateDevices = true; PrivateIPC = true; @@ -122,8 +122,10 @@ in { RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; + SocketBindAllow = cfg.port; + SocketBindDeny = "any"; SystemCallArchitectures = "native"; - SystemCallFilter = [ "@system-service @resources" "~@privileged @obsolete" ]; + SystemCallFilter = [ "@system-service" "~@privileged @obsolete" ]; }; }; }; diff --git a/nixos/tests/alps.nix b/nixos/tests/alps.nix index 8d7814117df1..3c30be1c1887 100644 --- a/nixos/tests/alps.nix +++ b/nixos/tests/alps.nix @@ -90,7 +90,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { }; }; - testScript = '' + testScript = { nodes, ... }: '' server.start() server.wait_for_unit("postfix.service") server.wait_for_unit("dovecot2.service") @@ -99,6 +99,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { client.start() client.wait_for_unit("alps.service") + client.wait_for_open_port(${toString nodes.client.config.services.alps.port}) client.succeed("test-alps-login") ''; }) |