nixos/systemd-confinement: support ProtectSystem=/DynamicUser=

See https://discourse.nixos.org/t/hardening-systemd-services/17147/14
author: Julien Moutinho <julm+nixpkgs@sourcephile.fr> 2024-02-17 15:48:10 +0100
committer: aszlig <aszlig@nix.build> 2024-05-13 00:40:25 +0200
commit: 0a5542c766cc14b3a6c841d0f47ab098605776e2 (patch)
tree: af5070c1860a74c6cfcd9f99a73ce3a72b1feb54 /nixos/doc/manual/release-notes/rl-2405.section.md
parent: 0d793f31de97aeb54a75e4b798f1e8c1fa3138ae (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md
index a43e8f26cabe7..a756751ea2a06 100644
--- a/nixos/doc/manual/release-notes/rl-2405.section.md
+++ b/nixos/doc/manual/release-notes/rl-2405.section.md
@@ -713,6 +713,8 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 - `documentation.man.mandoc` now by default uses `MANPATH` to set the directories where mandoc will search for manual pages.
   This enables mandoc to find manual pages in Nix profiles. To set the manual search paths via the `mandoc.conf` configuration file like before, use `documentation.man.mandoc.settings.manpath` instead.
 
+- The `systemd-confinement` module extension is now compatible with `DynamicUser=true` and thus `ProtectSystem=strict` too.
+
 - `grafana-loki` package was updated to 3.0.0 which includes [breaking changes](https://github.com/grafana/loki/releases/tag/v3.0.0).
 
 - `programs.fish.package` now allows you to override the package used in the `fish` module.
author	Julien Moutinho <julm+nixpkgs@sourcephile.fr>	2024-02-17 15:48:10 +0100
committer	aszlig <aszlig@nix.build>	2024-05-13 00:40:25 +0200
commit	0a5542c766cc14b3a6c841d0f47ab098605776e2 (patch)
tree	af5070c1860a74c6cfcd9f99a73ce3a72b1feb54 /nixos/doc/manual/release-notes/rl-2405.section.md
parent	0d793f31de97aeb54a75e4b798f1e8c1fa3138ae (diff)