New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/gitea: Sandbox the systemd service #63840
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have you considered adding these? They are from the recommendations in #20816.
RestrictAddressFamilies=AF_NETLINK AF_UNIX
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @resources
Edit: gitea is probably going to need AF_INET AF_INET6
in RestrictAddressFamilies
.
@gazally Thanks for the recommendation. I added both options, my gitea is currently running with them and there don't seem to be any issues. It needs |
This broke the service and the test due to (at least) |
It would be good if the service had maintainers so they could be pinged on changes. |
I can probably take up maintainership here, no problem. |
How you actually tested your changes? It broke the service. |
Any known workarounds for the breakage other than reverting the whole commit? |
|
This does not revert everything but works on my setup. More testers would be appreciated, because it's hard to tell if it's still too restrictive for some setups. |
Motivation for this change
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nix-review --run "nix-review wip"
./result/bin/
)nix path-info -S
before and after)