jacobpascual/nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

services: add finer-grained address family restrictions

Browse Source 
Due to a possible NixOS bug, this commit has no effect on NixOS 20.09
where `RestrictAddressFamilies` is a no-op.
It's only relevant for NixOS unstable with cgroups v2.

bitcoind+zmq: instead of allowing all address families, only add the required
AF_NETLINK family.

lnd: lnd only runs a zmq client, not a server, therefore it requires
no additional address families.

lightning-pool, clightning-plugin-zmq: add AF_NETLINK.
This commit is contained in:
Erik Arvstedt
2021-03-22 13:19:46 +01:00
parent 020433cec6
commit 08fe9ba84a
5 changed files with 16 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
pkgs/lib.nix
View File

@@ -33,6 +33,10 @@ let self = {
SystemCallArchitectures = "native";
};
allowNetlink = {
RestrictAddressFamilies = self.defaultHardening.RestrictAddressFamilies + " AF_NETLINK";
};
# nodejs applications apparently rely on memory write execute
nodejs = { MemoryDenyWriteExecute = "false"; };