mirrors/copyparty
1
0
Fork 0
mirror of https://github.com/9001/copyparty.git synced 2025-08-18 01:22:13 -06:00
Code Issues Actions Packages Projects Releases Wiki Activity

Moved back to TemporaryFileSystem for system hardening.

Browse source 
I misunderstood bind mounts...
This commit is contained in:
Gabe Venberg 2025-04-24 16:33:03 +02:00
parent c8382c2126
commit a90293626d
1 changed files with 6 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
contrib/nixos/modules/copyparty.nix
View file

@ -301,8 +301,12 @@ in {
) )
++ [externalStateDir] ++ [externalStateDir]
++ (mapAttrsToList (k: v: v.path) cfg.volumes); ++ (mapAttrsToList (k: v: v.path) cfg.volumes);
ProtectSystem = "strict"; # ProtectSystem = "strict";
ProtectHome = "tmpfs"; # Note that unlike what 'ro' implies,
# this actually makes it impossible to read anything in the root FS,
# except for things explicitly mounted via `RuntimeDirectory`, `StateDirectory`, `CacheDirectory`, and `BindReadOnlyPaths`.
# This is because TemporaryFileSystem creates a *new* *empty* filesystem for the process, so only bindmounts are visible.
TemporaryFileSystem = "/:ro";
PrivateTmp = true; PrivateTmp = true;
PrivateDevices = true; PrivateDevices = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;