Loading nixos/modules/programs/clash-verge.nix +3 −2 Original line number Diff line number Diff line Loading @@ -68,12 +68,13 @@ ProtectControlGroups = true; LockPersonality = true; RestrictRealtime = true; RuntimeDirectory = "clash-verge-rev"; ProtectClock = true; MemoryDenyWriteExecute = true; RestrictSUIDSGID = true; RestrictNamespaces = [ "~user cgroup ipc mnt uts" ]; RestrictNamespaces = [ "~user cgroup mnt uts" ]; RestrictAddressFamilies = [ "AF_INET AF_INET6 AF_NETLINK AF_PACKET AF_RAW" "AF_INET AF_INET6 AF_NETLINK AF_PACKET AF_UNIX" ]; CapabilityBoundingSet = [ "CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SETUID CAP_SETGID CAP_CHOWN CAP_MKNOD" Loading pkgs/by-name/cl/clash-verge-rev/0003-IPC-move-path-to-run-clash-verge-rev-service.sock.patch 0 → 100644 +32 −0 Original line number Diff line number Diff line From 75296a3059419b91f638ee45215e56781bfda256 Mon Sep 17 00:00:00 2001 From: wxt <3264117476@qq.com> Date: Sat, 28 Jun 2025 14:30:23 +0800 Subject: [PATCH] IPC: move path to /run/clash-verge-rev/service.sock --- src/service/ipc.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/service/ipc.rs b/src/service/ipc.rs index df39787..f441cd2 100644 --- a/src/service/ipc.rs +++ b/src/service/ipc.rs @@ -20,7 +20,7 @@ use std::ffi::OsStr; const IPC_SOCKET_NAME: &str = if cfg!(windows) { r"\\.\pipe\clash-verge-service" } else { - "/tmp/clash-verge-service.sock" + "/run/clash-verge-rev/service.sock" }; /// 消息时间有效期(秒) @@ -660,4 +660,4 @@ fn handle_unix_connection_sync(mut stream: std::os::unix::net::UnixStream) -> Re .context("写入响应内容失败")?; Ok(()) -} \ No newline at end of file +} -- 2.49.0 pkgs/by-name/cl/clash-verge-rev/service.nix +5 −2 Original line number Diff line number Diff line Loading @@ -16,8 +16,7 @@ rustPlatform.buildRustPackage { sourceRoot = "${src-service.name}"; patches = [ # FIXME: remove until upstream fix these # https://github.com/clash-verge-rev/clash-verge-rev/issues/3428 # I want to keep these patches because it's not harmful. # Patch: Restrict bin_path in spawn_process to be under the clash-verge-service directory. # This prevents arbitrary code execution by ensuring only trusted binaries from the Nix store are allowed to run. Loading @@ -26,6 +25,10 @@ rustPlatform.buildRustPackage { # Patch: Add validation to prevent overwriting existing files. # This mitigates arbitrary file overwrite risks by ensuring a file does not already exist before writing. ./0002-core-prevent-overwriting-existing-file-by-validating.patch # Patch: move IPC directory from /tmp to /run/clash-verge-rev/service.lock # This allows we enable ProtectSystem="strict" and PrivateTmp ./0003-IPC-move-path-to-run-clash-verge-rev-service.sock.patch ]; nativeBuildInputs = [ Loading pkgs/by-name/cl/clash-verge-rev/unwrapped.nix +4 −0 Original line number Diff line number Diff line Loading @@ -49,6 +49,10 @@ rustPlatform.buildRustPackage { # If you need a newer version, you can override the mihomo input of the wrapped package sed -i -e '/Mihomo Alpha/d' ./src/components/setting/mods/clash-core-viewer.tsx # See service.nix for reasons substituteInPlace src-tauri/src/core/service_ipc.rs \ --replace-fail "/tmp/clash-verge-service.sock" "/run/clash-verge-rev/service.sock" substituteInPlace $cargoDepsCopy/libappindicator-sys-*/src/lib.rs \ --replace-fail "libayatana-appindicator3.so.1" "${libayatana-appindicator}/lib/libayatana-appindicator3.so.1" Loading Loading
nixos/modules/programs/clash-verge.nix +3 −2 Original line number Diff line number Diff line Loading @@ -68,12 +68,13 @@ ProtectControlGroups = true; LockPersonality = true; RestrictRealtime = true; RuntimeDirectory = "clash-verge-rev"; ProtectClock = true; MemoryDenyWriteExecute = true; RestrictSUIDSGID = true; RestrictNamespaces = [ "~user cgroup ipc mnt uts" ]; RestrictNamespaces = [ "~user cgroup mnt uts" ]; RestrictAddressFamilies = [ "AF_INET AF_INET6 AF_NETLINK AF_PACKET AF_RAW" "AF_INET AF_INET6 AF_NETLINK AF_PACKET AF_UNIX" ]; CapabilityBoundingSet = [ "CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SETUID CAP_SETGID CAP_CHOWN CAP_MKNOD" Loading
pkgs/by-name/cl/clash-verge-rev/0003-IPC-move-path-to-run-clash-verge-rev-service.sock.patch 0 → 100644 +32 −0 Original line number Diff line number Diff line From 75296a3059419b91f638ee45215e56781bfda256 Mon Sep 17 00:00:00 2001 From: wxt <3264117476@qq.com> Date: Sat, 28 Jun 2025 14:30:23 +0800 Subject: [PATCH] IPC: move path to /run/clash-verge-rev/service.sock --- src/service/ipc.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/service/ipc.rs b/src/service/ipc.rs index df39787..f441cd2 100644 --- a/src/service/ipc.rs +++ b/src/service/ipc.rs @@ -20,7 +20,7 @@ use std::ffi::OsStr; const IPC_SOCKET_NAME: &str = if cfg!(windows) { r"\\.\pipe\clash-verge-service" } else { - "/tmp/clash-verge-service.sock" + "/run/clash-verge-rev/service.sock" }; /// 消息时间有效期(秒) @@ -660,4 +660,4 @@ fn handle_unix_connection_sync(mut stream: std::os::unix::net::UnixStream) -> Re .context("写入响应内容失败")?; Ok(()) -} \ No newline at end of file +} -- 2.49.0
pkgs/by-name/cl/clash-verge-rev/service.nix +5 −2 Original line number Diff line number Diff line Loading @@ -16,8 +16,7 @@ rustPlatform.buildRustPackage { sourceRoot = "${src-service.name}"; patches = [ # FIXME: remove until upstream fix these # https://github.com/clash-verge-rev/clash-verge-rev/issues/3428 # I want to keep these patches because it's not harmful. # Patch: Restrict bin_path in spawn_process to be under the clash-verge-service directory. # This prevents arbitrary code execution by ensuring only trusted binaries from the Nix store are allowed to run. Loading @@ -26,6 +25,10 @@ rustPlatform.buildRustPackage { # Patch: Add validation to prevent overwriting existing files. # This mitigates arbitrary file overwrite risks by ensuring a file does not already exist before writing. ./0002-core-prevent-overwriting-existing-file-by-validating.patch # Patch: move IPC directory from /tmp to /run/clash-verge-rev/service.lock # This allows we enable ProtectSystem="strict" and PrivateTmp ./0003-IPC-move-path-to-run-clash-verge-rev-service.sock.patch ]; nativeBuildInputs = [ Loading
pkgs/by-name/cl/clash-verge-rev/unwrapped.nix +4 −0 Original line number Diff line number Diff line Loading @@ -49,6 +49,10 @@ rustPlatform.buildRustPackage { # If you need a newer version, you can override the mihomo input of the wrapped package sed -i -e '/Mihomo Alpha/d' ./src/components/setting/mods/clash-core-viewer.tsx # See service.nix for reasons substituteInPlace src-tauri/src/core/service_ipc.rs \ --replace-fail "/tmp/clash-verge-service.sock" "/run/clash-verge-rev/service.sock" substituteInPlace $cargoDepsCopy/libappindicator-sys-*/src/lib.rs \ --replace-fail "libayatana-appindicator3.so.1" "${libayatana-appindicator}/lib/libayatana-appindicator3.so.1" Loading
