Merge master into staging-next

2 files changed, 7 insertions, 1 deletions

diff --git a/nixos/doc/manual/release-notes/rl-2105.xml b/nixos/doc/manual/release-notes/rl-2105.xml
deleted file mode 100644
index e69de29bb2d1d..0000000000000
--- a/nixos/doc/manual/release-notes/rl-2105.xml
+++ /dev/null
diff --git a/nixos/modules/services/networking/babeld.nix b/nixos/modules/services/networking/babeld.nix
index 5e14283179ac3..aae6f1498a426 100644
--- a/nixos/modules/services/networking/babeld.nix
+++ b/nixos/modules/services/networking/babeld.nix
@@ -104,6 +104,7 @@ in
         ExecStart = "${pkgs.babeld}/bin/babeld -c ${configFile} -I /run/babeld/babeld.pid -S /var/lib/babeld/state";
         AmbientCapabilities = [ "CAP_NET_ADMIN" ];
         CapabilityBoundingSet = [ "CAP_NET_ADMIN" ];
+        DevicePolicy = "closed";
         DynamicUser = true;
         IPAddressAllow = [ "fe80::/64" "ff00::/8" "::1/128" "127.0.0.0/8" ];
         IPAddressDeny = "any";
@@ -123,12 +124,17 @@ in
         RemoveIPC = true;
         ProtectHome = true;
         ProtectHostname = true;
+        ProtectProc = "invisible";
         PrivateMounts = true;
         PrivateTmp = true;
         PrivateDevices = true;
         PrivateUsers = false; # kernel_route(ADD): Operation not permitted
+        ProcSubset = "pid";
         SystemCallArchitectures = "native";
-        SystemCallFilter = [ "@system-service" ];
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged @resources"
+        ];
         UMask = "0177";
         RuntimeDirectory = "babeld";
         StateDirectory = "babeld";