pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #202187 from hmenke/alps

authored by

Martin Weinelt and committed by
GitHub a4e5468b 51e70a70

+8 -5
+6 -4
nixos/modules/services/web-apps/alps.nix
··· 98 98 99 99 serviceConfig = { 100 100 ExecStart = "${cfg.package}/bin/alps ${escapeShellArgs cfg.args}"; 101 + AmbientCapabilities = ""; 102 + CapabilityBoundingSet = ""; 101 103 DynamicUser = true; 102 - ## This is desirable but would restrict bindIP to 127.0.0.1 103 - #IPAddressAllow = "localhost"; 104 - #IPAddressDeny = "any"; 105 104 LockPersonality = true; 105 + MemoryDenyWriteExecute = true; 106 106 NoNewPrivileges = true; 107 107 PrivateDevices = true; 108 108 PrivateIPC = true; ··· 122 122 RestrictNamespaces = true; 123 123 RestrictRealtime = true; 124 124 RestrictSUIDSGID = true; 125 + SocketBindAllow = cfg.port; 126 + SocketBindDeny = "any"; 125 127 SystemCallArchitectures = "native"; 126 - SystemCallFilter = [ "@system-service @resources" "~@privileged @obsolete" ]; 128 + SystemCallFilter = [ "@system-service" "~@privileged @obsolete" ]; 127 129 }; 128 130 }; 129 131 };
+2 -1
nixos/tests/alps.nix
··· 90 90 }; 91 91 }; 92 92 93 - testScript = '' 93 + testScript = { nodes, ... }: '' 94 94 server.start() 95 95 server.wait_for_unit("postfix.service") 96 96 server.wait_for_unit("dovecot2.service") ··· 99 99 100 100 client.start() 101 101 client.wait_for_unit("alps.service") 102 + client.wait_for_open_port(${toString nodes.client.config.services.alps.port}) 102 103 client.succeed("test-alps-login") 103 104 ''; 104 105 })