diff options
author | Jörg Thalheim <Mic92@users.noreply.github.com> | 2021-12-03 17:59:37 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-12-03 17:59:37 +0000 |
commit | 4f08634a1878229b5b9c17d2a0225a34fcc504a1 (patch) | |
tree | d18f59df097f3481f9364e94b52f23edfb936932 /nixos | |
parent | 99c916dd8eef8e63a54defe1eab0b821add4392f (diff) | |
parent | 6073b099d05458ba4dc3ade6cae7cb838ae5b2b9 (diff) |
Merge pull request #148458 from lunik1/snapraid-fix
nixos/snapraid: relax permissions of snapraid-sync
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/tasks/snapraid.nix | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/nixos/modules/tasks/snapraid.nix b/nixos/modules/tasks/snapraid.nix index 4529009930fcb..ff956f3067096 100644 --- a/nixos/modules/tasks/snapraid.nix +++ b/nixos/modules/tasks/snapraid.nix @@ -193,7 +193,6 @@ in LockPersonality = true; MemoryDenyWriteExecute = true; NoNewPrivileges = true; - PrivateDevices = true; PrivateTmp = true; ProtectClock = true; ProtectControlGroups = true; @@ -208,7 +207,8 @@ in SystemCallArchitectures = "native"; SystemCallFilter = "@system-service"; SystemCallErrorNumber = "EPERM"; - CapabilityBoundingSet = "CAP_DAC_OVERRIDE"; + CapabilityBoundingSet = "CAP_DAC_OVERRIDE" ++ + lib.optionalString cfg.touchBeforeSync " CAP_FOWNER"; ProtectSystem = "strict"; ProtectHome = "read-only"; |