pyrox.dev / nixpkgs
lol
fork atom

nixos/zigbee2mqtt: only add port to DeviceAllow if it is a device (#356573)

authored by Martin Weinelt and committed by GitHub f3a1d218 66d813d9

+1 -3
unified split
+1 -3
nixos/modules/services/home-automation/zigbee2mqtt.nix
··· 76 77 # Hardening 78 CapabilityBoundingSet = ""; 79 - DeviceAllow = [ 80 - config.services.zigbee2mqtt.settings.serial.port 81 - ]; 82 DevicePolicy = "closed"; 83 LockPersonality = true; 84 MemoryDenyWriteExecute = false;
··· 76 77 # Hardening 78 CapabilityBoundingSet = ""; 79 + DeviceAllow = lib.optionals (lib.hasPrefix "/" cfg.settings.serial.port) [ cfg.settings.serial.port ]; 80 DevicePolicy = "closed"; 81 LockPersonality = true; 82 MemoryDenyWriteExecute = false;