pyrox.dev
nixos/ebusd: fix device access (#352743)
authored by Arne Keller and committed by GitHub bfd71544 2e5a764e
+9
-3
nixos/modules/services/home-automation/ebusd.nix
+9
-3
nixos/modules/services/home-automation/ebusd.nix
···
155
155
156
156
config =
157
157
let
158
-
usesDev = lib.hasPrefix "/" cfg.device;
158
+
usesDev = lib.any (prefix: lib.hasPrefix prefix cfg.device) [
159
+
"/"
160
+
"ens:/"
161
+
"enh:/"
162
+
];
159
163
in
160
164
lib.mkIf cfg.enable {
161
165
systemd.services.ebusd = {
···
200
204
201
205
# Hardening
202
206
CapabilityBoundingSet = "";
203
-
DeviceAllow = lib.optionals usesDev [ cfg.device ];
207
+
DeviceAllow = lib.optionals usesDev [
208
+
(lib.removePrefix "ens:" (lib.removePrefix "enh:" cfg.device))
209
+
];
204
210
DevicePolicy = "closed";
205
211
LockPersonality = true;
206
212
MemoryDenyWriteExecute = false;
207
213
NoNewPrivileges = true;
208
-
PrivateDevices = usesDev;
214
+
PrivateDevices = !usesDev;
209
215
PrivateUsers = true;
210
216
PrivateTmp = true;
211
217
ProtectClock = true;