diff options
author | Martin Weinelt <hexa@darmstadt.ccc.de> | 2022-09-04 16:14:17 +0200 |
---|---|---|
committer | Martin Weinelt <hexa@darmstadt.ccc.de> | 2022-09-04 16:24:24 +0200 |
commit | f98011803ebbe7e68e2133a3405d4928f3c274c7 (patch) | |
tree | ee0b731e230333fa2206f25c5997d1436bffa345 /nixos/modules/services/misc/paperless.nix | |
parent | 73e10d9d5a150c2dbaac705389b9ca41fcc0626d (diff) |
nixos/paperless: Restrict CAP_NET_BIND_SERVICE
Handing CAP_NET_BIND_SERVICE to the `paperless-web.service` only makes sense when it actually wants to bind to a port < 1024. Don't hand it out if that is not the case.
Diffstat (limited to 'nixos/modules/services/misc/paperless.nix')
-rw-r--r-- | nixos/modules/services/misc/paperless.nix | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/nixos/modules/services/misc/paperless.nix b/nixos/modules/services/misc/paperless.nix index 9e554b93fc824..b1cf72258d174 100644 --- a/nixos/modules/services/misc/paperless.nix +++ b/nixos/modules/services/misc/paperless.nix @@ -286,12 +286,13 @@ in ''; Restart = "on-failure"; - AmbientCapabilities = "CAP_NET_BIND_SERVICE"; - CapabilityBoundingSet = "CAP_NET_BIND_SERVICE"; # gunicorn needs setuid, liblapack needs mbind SystemCallFilter = defaultServiceConfig.SystemCallFilter ++ [ "@setuid mbind" ]; # Needs to serve web page PrivateNetwork = false; + } // lib.optionalAttrs (cfg.port < 1024) { + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; }; environment = env // { PATH = mkForce cfg.package.path; |