pyrox.dev / nixpkgs
lol
fork atom

nixos/ebusd: fix device access (#352743)

Arne Keller bfd71544 2e5a764e

options
unified split
Changed files
+9 -3
nixos
modules
services
home-automation
ebusd.nix
+9 -3
nixos/modules/services/home-automation/ebusd.nix 
···

       
155

       
155

       
 

       



     

       
156

       
156

       
 

       
  config =


     

       
157

       
157

       
 

       
    let


     

       
158

       

       
-

       
      usesDev = lib.hasPrefix "/" cfg.device;


     

       

       
158

       
+

       
      usesDev = lib.any (prefix: lib.hasPrefix prefix cfg.device) [


     

       

       
159

       
+

       
        "/"


     

       

       
160

       
+

       
        "ens:/"


     

       

       
161

       
+

       
        "enh:/"


     

       

       
162

       
+

       
      ];


     

       
159

       
163

       
 

       
    in


     

       
160

       
164

       
 

       
    lib.mkIf cfg.enable {


     

       
161

       
165

       
 

       
      systemd.services.ebusd = {


     
···

       
200

       
204

       
 

       



     

       
201

       
205

       
 

       
          # Hardening


     

       
202

       
206

       
 

       
          CapabilityBoundingSet = "";


     

       
203

       

       
-

       
          DeviceAllow = lib.optionals usesDev [ cfg.device ];


     

       

       
207

       
+

       
          DeviceAllow = lib.optionals usesDev [


     

       

       
208

       
+

       
            (lib.removePrefix "ens:" (lib.removePrefix "enh:" cfg.device))


     

       

       
209

       
+

       
          ];


     

       
204

       
210

       
 

       
          DevicePolicy = "closed";


     

       
205

       
211

       
 

       
          LockPersonality = true;


     

       
206

       
212

       
 

       
          MemoryDenyWriteExecute = false;


     

       
207

       
213

       
 

       
          NoNewPrivileges = true;


     

       
208

       

       
-

       
          PrivateDevices = usesDev;


     

       

       
214

       
+

       
          PrivateDevices = !usesDev;


     

       
209

       
215

       
 

       
          PrivateUsers = true;


     

       
210

       
216

       
 

       
          PrivateTmp = true;


     

       
211

       
217

       
 

       
          ProtectClock = true;