New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/zerotierone: Sandbox the systemd service #64384
Conversation
@@ -44,15 +44,39 @@ in | |||
wantedBy = [ "multi-user.target" ]; | |||
preStart = '' | |||
mkdir -p /var/lib/zerotier-one/networks.d | |||
chmod 700 /var/lib/zerotier-one | |||
chown -R root:root /var/lib/zerotier-one |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will this break existing installations?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No. See line 55
and 56
@gazally are you aware of the |
No, it's new to me but it looks useful. I tried it out with
This is issued before the pre-start script starts. |
Edit: Anyhow, the error is nonfatal, and just a warning log message. systemd just continues executing everything just fine. It's annoying but shouldn't break anything. |
@gazally conclusion is that you can ignore that error message. It isn't fatal. I'll see if I can make systemd supress the message in a separate PR. |
I've pushed a revised version with |
This looks fine to me. |
PrivateTmp = true; | ||
ProtectControlGroups = true; | ||
ProtectKernelModules = true; | ||
ProtectKernelTunables = true; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please note that this implies MountAPIVFS
, so you could just go with the default confinement mode of full-apivfs
and remove these options.
Thank you for your contributions.
|
Motivation for this change
Reducing the number of services that run as root with full privileges.
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nix-review --run "nix-review wip"
./result/bin/
)nix path-info -S
before and after)