Unverified Commit 5724c319 authored by Lin Jian's avatar Lin Jian
Browse files

nixos/tayga: always set virtualOwner to null 

Previously, due to the limitation of
networking.interfaces.*.virtualOwner, it is only set to null when
using systemd-networkd backend.  With this patch, virtualOwner is
always set to null.
parent 17256403

nixos/modules/services/networking/tayga.nix

+3 −8
Original line number Diff line number Diff line
@@ -167,7 +167,7 @@ in 
    networking.interfaces."${cfg.tunDevice}" = {

      virtual = true;

      virtualType = "tun";

      virtualOwner = mkIf config.networking.useNetworkd "";

      virtualOwner = null;

      ipv4 = {

        addresses = [

          {
@@ -205,9 +205,7 @@ in 
        ExecReload = "${pkgs.coreutils}/bin/kill -SIGHUP $MAINPID";

        Restart = "always";



        # Hardening Score:

        #  - nixos-scripts: 2.1

        #  - systemd-networkd: 1.6

        # Hardening Score: 1.5

        ProtectHome = true;

        SystemCallFilter = [

          "@network-io"
@@ -216,9 +214,6 @@ in 
          "~@resources"

        ];

        ProtectKernelLogs = true;

        AmbientCapabilities = [

          "CAP_NET_ADMIN"

        ];

        CapabilityBoundingSet = "";

        RestrictAddressFamilies = [

          "AF_INET"
@@ -226,7 +221,7 @@ in 
          "AF_NETLINK"

        ];

        StateDirectory = "tayga";

        DynamicUser = mkIf config.networking.useNetworkd true;

        DynamicUser = true;

        MemoryDenyWriteExecute = true;

        RestrictRealtime = true;

        RestrictSUIDSGID = true;