diff options
| author | aszlig <aszlig@nix.build> | 2024-05-13 00:28:09 +0200 |
|---|---|---|
| committer | aszlig <aszlig@nix.build> | 2024-05-13 00:40:41 +0200 |
| commit | e4bd1e8f92371efd9b48657cc03b04a755a05f49 (patch) | |
| tree | 1c99823e29c0e577fbbd096c477010997688ac42 /nixos/modules | |
| parent | 0a9cecc35a651a020f66a4cc2a8333e33558650d (diff) | |
nixos/confinement: Use prio 100 for RootDirectory
One of the module that already supports the systemd-confinement module is public-inbox. However with the changes to support DynamicUser and ProtectSystem, the module will now fail at runtime if confinement is enabled (it's optional and you'll need to override it via another module). The reason is that the RootDirectory is set to /var/empty in the public-inbox module, which doesn't work well with the InaccessiblePaths directive we now use to support DynamicUser/ProtectSystem. To make this issue more visible, I decided to just change the priority of the RootDirectory option definiton the default override priority so that whenever another different option is defined, we'll get a conflict at evaluation time. Signed-off-by: aszlig <aszlig@nix.build>
Diffstat (limited to 'nixos/modules')
| -rw-r--r-- | nixos/modules/security/systemd-confinement.nix | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/nixos/modules/security/systemd-confinement.nix b/nixos/modules/security/systemd-confinement.nix index fa58ea22f8687..041c900338864 100644 --- a/nixos/modules/security/systemd-confinement.nix +++ b/nixos/modules/security/systemd-confinement.nix @@ -107,7 +107,7 @@ in { serviceConfig = { ReadOnlyPaths = [ "+/" ]; RuntimeDirectory = [ "confinement/${mkPathSafeName name}" ]; - RootDirectory = lib.mkDefault "/run/confinement/${mkPathSafeName name}"; + RootDirectory = "/run/confinement/${mkPathSafeName name}"; InaccessiblePaths = [ "-+/run/confinement/${mkPathSafeName name}" ]; |