pyrox.dev
nixos/ebusd: fix device access (#352743)
authored by Arne Keller and committed by GitHub bfd71544 2e5a764e
+9
-3
nixos/modules/services/home-automation/ebusd.nix
+9
-3
nixos/modules/services/home-automation/ebusd.nix
···
155
156
config =
157
let
158
-
usesDev = lib.hasPrefix "/" cfg.device;
159
in
160
lib.mkIf cfg.enable {
161
systemd.services.ebusd = {
···
200
201
# Hardening
202
CapabilityBoundingSet = "";
203
-
DeviceAllow = lib.optionals usesDev [ cfg.device ];
204
DevicePolicy = "closed";
205
LockPersonality = true;
206
MemoryDenyWriteExecute = false;
207
NoNewPrivileges = true;
208
-
PrivateDevices = usesDev;
209
PrivateUsers = true;
210
PrivateTmp = true;
211
ProtectClock = true;
···
155
156
config =
157
let
158
+
usesDev = lib.any (prefix: lib.hasPrefix prefix cfg.device) [
159
+
"/"
160
+
"ens:/"
161
+
"enh:/"
162
+
];
163
in
164
lib.mkIf cfg.enable {
165
systemd.services.ebusd = {
···
204
205
# Hardening
206
CapabilityBoundingSet = "";
207
+
DeviceAllow = lib.optionals usesDev [
208
+
(lib.removePrefix "ens:" (lib.removePrefix "enh:" cfg.device))
209
+
];
210
DevicePolicy = "closed";
211
LockPersonality = true;
212
MemoryDenyWriteExecute = false;
213
NoNewPrivileges = true;
214
+
PrivateDevices = !usesDev;
215
PrivateUsers = true;
216
PrivateTmp = true;
217
ProtectClock = true;