diff options
| author | aszlig <aszlig@nix.build> | 2019-03-15 04:13:01 +0100 |
|---|---|---|
| committer | aszlig <aszlig@nix.build> | 2019-03-15 04:13:01 +0100 |
| commit | d13ad389b4a4ccaae3f3732f3735984814dbb851 (patch) | |
| tree | 27a27982a32080c82bfc8e87a8a2ec036ed7d782 /pkgs/development/python-modules/python-mapnik/python-mapnik_std_optional.patch | |
| parent | 9e9af4f9c076f382bc40821551beaeb68ca071cd (diff) | |
nixos/confinement: Explicitly set serviceConfig
My implementation was relying on PrivateDevices, PrivateTmp,
PrivateUsers and others to be false by default if chroot-only mode is
used.
However there is an ongoing effort[1] to change these defaults, which
then will actually increase the attack surface in chroot-only mode,
because it is expected that there is no /dev, /sys or /proc.
If for example PrivateDevices is enabled by default, there suddenly will
be a mounted /dev in the chroot and we wouldn't detect it.
Fortunately, our tests cover that, but I'm preparing for this anyway so
that we have a smoother transition without the need to fix our
implementation again.
Thanks to @Infinisil for the heads-up.
[1]: https://github.com/NixOS/nixpkgs/issues/14645
Signed-off-by: aszlig <aszlig@nix.build>
Diffstat (limited to 'pkgs/development/python-modules/python-mapnik/python-mapnik_std_optional.patch')
0 files changed, 0 insertions, 0 deletions
