Unverified Commit d3e0a89c authored by Martin Weinelt's avatar Martin Weinelt
Browse files

nixos/logrotate: relax hardening 

The previous hardening change restricted the unit too much, breaking
legitimate functionality of logrotate.

Unfortunately this was not covered by our NixOS test.
parent 325a2b48

nixos/modules/services/logging/logrotate.nix

+5 −3
Original line number Diff line number Diff line
@@ -260,6 +260,8 @@ in 
        # hardening

        CapabilityBoundingSet = [

          "CAP_CHOWN"

          "CAP_DAC_OVERRIDE"

          "CAP_SETUID"

          "CAP_SETGID"

        ];

        DevicePolicy = "closed";
@@ -280,16 +282,16 @@ in 
        ProtectSystem = "full";

        RestrictNamespaces = true;

        RestrictRealtime = true;

        RestrictSUIDSGID = true;

        RestrictSUIDSGID = false; # can create sgid directories

        SystemCallArchitectures = "native";

        SystemCallFilter = [

          "@system-service"

          "@system-service @setuid"

          "~@privileged @resources"

          "@chown"

        ];

        UMask = "0027";

      } // lib.optionalAttrs (!cfg.allowNetworking) {

        PrivateNetwork = true;

        PrivateNetwork = true; # e.g. mail delivery

        RestrictAddressFamilies = "none";

      };

    };