Unverified Commit 0fc41ad9 authored by Franz Pletz's avatar Franz Pletz Committed by GitHub
Browse files

treewide: Remove ineffective capability grants. (#333533)

parents 9c87fcc4 cb10fe8a

nixos/modules/services/misc/mollysocket.nix

+2 −6
Original line number Diff line number Diff line 
{ config, lib, pkgs, ... }:



let

  inherit (lib) getExe mkIf mkOption mkEnableOption optionals types;

  inherit (lib) getExe mkIf mkOption mkEnableOption types;



  cfg = config.services.mollysocket;

  configuration = format.generate "mollysocket.conf" cfg.settings;
@@ -85,9 +85,7 @@ in { 
      after = [ "network-online.target" ];

      wants = [ "network-online.target" ];

      environment.RUST_LOG = cfg.logLevel;

      serviceConfig = let

        capabilities = [ "" ] ++ optionals (cfg.settings.port < 1024) [ "CAP_NET_BIND_SERVICE" ];

      in {

      serviceConfig = {

        EnvironmentFile = cfg.environmentFile;

        ExecStart = "${getExe package} server";

        KillSignal = "SIGINT";
@@ -97,8 +95,6 @@ in { 
        WorkingDirectory = "/var/lib/mollysocket";



        # hardening

        AmbientCapabilities = capabilities;

        CapabilityBoundingSet = capabilities;

        DevicePolicy = "closed";

        DynamicUser = true;

        LockPersonality = true;

nixos/modules/services/misc/paperless.nix

+0 −3
Original line number Diff line number Diff line
@@ -372,9 +372,6 @@ in 
        SystemCallFilter = defaultServiceConfig.SystemCallFilter ++ [ "@setuid mbind" ];

        # Needs to serve web page

        PrivateNetwork = false;

      } // lib.optionalAttrs (cfg.port < 1024) {

        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];

        CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];

      };

      environment = env // {

        PYTHONPATH = "${cfg.package.python.pkgs.makePythonPath cfg.package.propagatedBuildInputs}:${cfg.package}/lib/paperless-ngx/src";

nixos/modules/services/misc/tandoor-recipes.nix

+0 −3
Original line number Diff line number Diff line
@@ -119,9 +119,6 @@ in 
        # gunicorn needs setuid

        SystemCallFilter = [ "@system-service" "~@privileged" "@resources" "@setuid" "@keyring" ];

        UMask = "0066";

      } // lib.optionalAttrs (cfg.port < 1024) {

        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];

        CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];

      };



      wantedBy = [ "multi-user.target" ];

nixos/modules/services/misc/transfer-sh.nix

+0 −1
Original line number Diff line number Diff line
@@ -69,7 +69,6 @@ in 
          wantedBy = [ "multi-user.target" ];

          environment = mapAttrs (_: v: if isBool v then boolToString v else toString v) cfg.settings;

          serviceConfig = {

            CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];

            DevicePolicy = "closed";

            DynamicUser = true;

            ExecStart = "${getExe cfg.package} --provider ${cfg.provider}";

nixos/modules/services/misc/wastebin.nix

+0 −1
Original line number Diff line number Diff line
@@ -126,7 +126,6 @@ in 
        wantedBy = [ "multi-user.target" ];

        environment = mapAttrs (_: v: if isBool v then boolToString v else toString v) cfg.settings;

        serviceConfig = {

          CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];

          DevicePolicy = "closed";

          DynamicUser = true;

          ExecStart = "${getExe cfg.package}";