Commit d5d3834b authored by Julien Moutinho's avatar Julien Moutinho
Browse files

nixos/tor: do not bind storeDir when systemd-confinement is enabled 

Otherwise it undermines systemd-confinement
whose job is to filter what gets bind mounted from the storeDir.
parent aa24bdf8

nixos/modules/services/security/tor.nix

+1 −1
Original line number Diff line number Diff line
@@ -1441,9 +1441,9 @@ in 
        #InaccessiblePaths = [ "-+${runDir}/root" ];

        UMask = "0066";

        BindReadOnlyPaths = [

          builtins.storeDir

          "/etc"

        ]

        ++ lib.optional (!config.systemd.services.tor.confinement.enable) builtins.storeDir

        ++ lib.optionals config.services.resolved.enable [

          "/run/systemd/resolve/stub-resolv.conf"

          "/run/systemd/resolve/resolv.conf"