Merge pull request #148458 from lunik1/snapraid-fix

nixos/snapraid: relax permissions of snapraid-sync
author: Jörg Thalheim <Mic92@users.noreply.github.com> 2021-12-03 17:59:37 +0000
committer: GitHub <noreply@github.com> 2021-12-03 17:59:37 +0000
commit: 4f08634a1878229b5b9c17d2a0225a34fcc504a1 (patch)
tree: d18f59df097f3481f9364e94b52f23edfb936932 /nixos
parent: 99c916dd8eef8e63a54defe1eab0b821add4392f (diff)
parent: 6073b099d05458ba4dc3ade6cae7cb838ae5b2b9 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/nixos/modules/tasks/snapraid.nix b/nixos/modules/tasks/snapraid.nix
index 4529009930fcb..ff956f3067096 100644
--- a/nixos/modules/tasks/snapraid.nix
+++ b/nixos/modules/tasks/snapraid.nix
@@ -193,7 +193,6 @@ in
             LockPersonality = true;
             MemoryDenyWriteExecute = true;
             NoNewPrivileges = true;
-            PrivateDevices = true;
             PrivateTmp = true;
             ProtectClock = true;
             ProtectControlGroups = true;
@@ -208,7 +207,8 @@ in
             SystemCallArchitectures = "native";
             SystemCallFilter = "@system-service";
             SystemCallErrorNumber = "EPERM";
-            CapabilityBoundingSet = "CAP_DAC_OVERRIDE";
+            CapabilityBoundingSet = "CAP_DAC_OVERRIDE" ++
+              lib.optionalString cfg.touchBeforeSync " CAP_FOWNER";
 
             ProtectSystem = "strict";
             ProtectHome = "read-only";
author	Jörg Thalheim <Mic92@users.noreply.github.com>	2021-12-03 17:59:37 +0000
committer	GitHub <noreply@github.com>	2021-12-03 17:59:37 +0000
commit	4f08634a1878229b5b9c17d2a0225a34fcc504a1 (patch)
tree	d18f59df097f3481f9364e94b52f23edfb936932 /nixos
parent	99c916dd8eef8e63a54defe1eab0b821add4392f (diff)
parent	6073b099d05458ba4dc3ade6cae7cb838ae5b2b9 (diff)