Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 8305186bb44e
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: d9319e8e8725
Choose a head ref
  • 1 commit
  • 1 file changed
  • 1 contributor

Commits on Jan 13, 2020

  1. nixos/ndppd: enable systemd sandboxing

    @mmilata @fpletz
    mmilata authored and fpletz committed Jan 13, 2020
    Copy the full SHA
    d9319e8 View commit details
Showing with 19 additions and 1 deletion.
  1. +19 −1 nixos/modules/services/networking/ndppd.nix
20 changes: 19 additions & 1 deletion nixos/modules/services/networking/ndppd.nix
View file
Original file line number Diff line number Diff line change
@@ -161,7 +161,25 @@ in {
documentation = [ "man:ndppd(1)" "man:ndppd.conf(5)" ];
after = [ "network-pre.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = "${pkgs.ndppd}/bin/ndppd -c ${ndppdConf}";
serviceConfig = {
ExecStart = "${pkgs.ndppd}/bin/ndppd -c ${ndppdConf}";

# Sandboxing
CapabilityBoundingSet = "CAP_NET_RAW CAP_NET_ADMIN";
ProtectSystem = "strict";
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectControlGroups = true;
RestrictAddressFamilies = "AF_INET6 AF_PACKET AF_NETLINK";
RestrictNamespaces = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
};
};
};
}