···

       
68
       
 
       
          ProtectControlGroups = true;

     

       
69
       
 
       
          LockPersonality = true;

     

       
70
       
 
       
          RestrictRealtime = true;

     

       
0
       
 
       

     

       
71
       
 
       
          ProtectClock = true;

     

       
72
       
 
       
          MemoryDenyWriteExecute = true;

     

       
73
       
 
       
          RestrictSUIDSGID = true;

     

       
74
       
-
       
          RestrictNamespaces = [ "~user cgroup ipc mnt uts" ];

     

       
75
       
 
       
          RestrictAddressFamilies = [

     

       
76
       
-
       
            "AF_INET AF_INET6 AF_NETLINK AF_PACKET AF_RAW"

     

       
77
       
 
       
          ];

     

       
78
       
 
       
          CapabilityBoundingSet = [

     

       
79
       
 
       
            "CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SETUID CAP_SETGID CAP_CHOWN CAP_MKNOD"

     

···

       
68
       
 
       
          ProtectControlGroups = true;

     

       
69
       
 
       
          LockPersonality = true;

     

       
70
       
 
       
          RestrictRealtime = true;

     

       
71
       
+
       
          RuntimeDirectory = "clash-verge-rev";

     

       
72
       
 
       
          ProtectClock = true;

     

       
73
       
 
       
          MemoryDenyWriteExecute = true;

     

       
74
       
 
       
          RestrictSUIDSGID = true;

     

       
75
       
+
       
          RestrictNamespaces = [ "~user cgroup mnt uts" ];

     

       
76
       
 
       
          RestrictAddressFamilies = [

     

       
77
       
+
       
            "AF_INET AF_INET6 AF_NETLINK AF_PACKET AF_UNIX"

     

       
78
       
 
       
          ];

     

       
79
       
 
       
          CapabilityBoundingSet = [

     

       
80
       
 
       
            "CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SETUID CAP_SETGID CAP_CHOWN CAP_MKNOD"

     

···

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

···

       
1
       
+
       
From 75296a3059419b91f638ee45215e56781bfda256 Mon Sep 17 00:00:00 2001

     

       
2
       
+
       
From: wxt <3264117476@qq.com>

     

       
3
       
+
       
Date: Sat, 28 Jun 2025 14:30:23 +0800

     

       
4
       
+
       
Subject: [PATCH] IPC: move path to /run/clash-verge-rev/service.sock

     

       
5
       
+
       


     

       
6
       
+
       
---

     

       
7
       
+
       
 src/service/ipc.rs | 4 ++--

     

       
8
       
+
       
 1 file changed, 2 insertions(+), 2 deletions(-)

     

       
9
       
+
       


     

       
10
       
+
       
diff --git a/src/service/ipc.rs b/src/service/ipc.rs

     

       
11
       
+
       
index df39787..f441cd2 100644

     

       
12
       
+
       
--- a/src/service/ipc.rs

     

       
13
       
+
       
+++ b/src/service/ipc.rs

     

       
14
       
+
       
@@ -20,7 +20,7 @@ use std::ffi::OsStr;

     

       
15
       
+
       
 const IPC_SOCKET_NAME: &str = if cfg!(windows) {

     

       
16
       
+
       
     r"\\.\pipe\clash-verge-service"

     

       
17
       
+
       
 } else {

     

       
18
       
+
       
-    "/tmp/clash-verge-service.sock"

     

       
19
       
+
       
+    "/run/clash-verge-rev/service.sock"

     

       
20
       
+
       
 };

     

       
21
       
+
       
 

     

       
22
       
+
       
 /// 消息时间有效期(秒)

     

       
23
       
+
       
@@ -660,4 +660,4 @@ fn handle_unix_connection_sync(mut stream: std::os::unix::net::UnixStream) -> Re

     

       
24
       
+
       
         .context("写入响应内容失败")?;

     

       
25
       
+
       
     

     

       
26
       
+
       
     Ok(())

     

       
27
       
+
       
-} 

     

       
28
       
+
       
\ No newline at end of file

     

       
29
       
+
       
+} 

     

       
30
       
+
       
-- 

     

       
31
       
+
       
2.49.0

     

       
32
       
+
       


     

···

       
16
       
 
       
  sourceRoot = "${src-service.name}";

     

       
17
       
 
       


     

       
18
       
 
       
  patches = [

     

       
19
       
-
       
    # FIXME: remove until upstream fix these

     

       
20
       
-
       
    # https://github.com/clash-verge-rev/clash-verge-rev/issues/3428

     

       
21
       
 
       


     

       
22
       
 
       
    # Patch: Restrict bin_path in spawn_process to be under the clash-verge-service directory.

     

       
23
       
 
       
    # This prevents arbitrary code execution by ensuring only trusted binaries from the Nix store are allowed to run.

     
···

       
26
       
 
       
    # Patch: Add validation to prevent overwriting existing files.

     

       
27
       
 
       
    # This mitigates arbitrary file overwrite risks by ensuring a file does not already exist before writing.

     

       
28
       
 
       
    ./0002-core-prevent-overwriting-existing-file-by-validating.patch

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
29
       
 
       
  ];

     

       
30
       
 
       


     

       
31
       
 
       
  nativeBuildInputs = [

     

···

       
16
       
 
       
  sourceRoot = "${src-service.name}";

     

       
17
       
 
       


     

       
18
       
 
       
  patches = [

     

       
19
       
+
       
    # I want to keep these patches because it's not harmful.

     

       
0
       
 
       

     

       
20
       
 
       


     

       
21
       
 
       
    # Patch: Restrict bin_path in spawn_process to be under the clash-verge-service directory.

     

       
22
       
 
       
    # This prevents arbitrary code execution by ensuring only trusted binaries from the Nix store are allowed to run.

     
···

       
25
       
 
       
    # Patch: Add validation to prevent overwriting existing files.

     

       
26
       
 
       
    # This mitigates arbitrary file overwrite risks by ensuring a file does not already exist before writing.

     

       
27
       
 
       
    ./0002-core-prevent-overwriting-existing-file-by-validating.patch

     

       
28
       
+
       


     

       
29
       
+
       
    # Patch: move IPC directory from /tmp to /run/clash-verge-rev/service.lock

     

       
30
       
+
       
    # This allows we enable ProtectSystem="strict" and PrivateTmp

     

       
31
       
+
       
    ./0003-IPC-move-path-to-run-clash-verge-rev-service.sock.patch

     

       
32
       
 
       
  ];

     

       
33
       
 
       


     

       
34
       
 
       
  nativeBuildInputs = [

     

···

       
49
       
 
       
    # If you need a newer version, you can override the mihomo input of the wrapped package

     

       
50
       
 
       
    sed -i -e '/Mihomo Alpha/d' ./src/components/setting/mods/clash-core-viewer.tsx

     

       
51
       
 
       


     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
52
       
 
       
    substituteInPlace $cargoDepsCopy/libappindicator-sys-*/src/lib.rs \

     

       
53
       
 
       
      --replace-fail "libayatana-appindicator3.so.1" "${libayatana-appindicator}/lib/libayatana-appindicator3.so.1"

     

       
54
       
 
       


     

···

       
49
       
 
       
    # If you need a newer version, you can override the mihomo input of the wrapped package

     

       
50
       
 
       
    sed -i -e '/Mihomo Alpha/d' ./src/components/setting/mods/clash-core-viewer.tsx

     

       
51
       
 
       


     

       
52
       
+
       
    # See service.nix for reasons

     

       
53
       
+
       
    substituteInPlace src-tauri/src/core/service_ipc.rs \

     

       
54
       
+
       
      --replace-fail "/tmp/clash-verge-service.sock" "/run/clash-verge-rev/service.sock"

     

       
55
       
+
       


     

       
56
       
 
       
    substituteInPlace $cargoDepsCopy/libappindicator-sys-*/src/lib.rs \

     

       
57
       
 
       
      --replace-fail "libayatana-appindicator3.so.1" "${libayatana-appindicator}/lib/libayatana-appindicator3.so.1"

     

       
58