immich: less privileges

This commit is contained in:
Motiejus Jakštys 2024-09-29 22:35:14 +03:00
parent 98248b2e5b
commit 34ad013b10

View File

@ -60,7 +60,6 @@ in
name: srcpath: "${srcpath}:/var/cache/immich/bind-paths/${name}" name: srcpath: "${srcpath}:/var/cache/immich/bind-paths/${name}"
) cfg.bindPaths; ) cfg.bindPaths;
PrivateDevices = lib.mkForce false; # /dev/fuse PrivateDevices = lib.mkForce false; # /dev/fuse
ProtectHome = lib.mkForce false; # binding /home/motiejus
CapabilityBoundingSet = lib.mkForce "CAP_SYS_ADMIN | CAP_SETUID | CAP_SETGID"; CapabilityBoundingSet = lib.mkForce "CAP_SYS_ADMIN | CAP_SETUID | CAP_SETGID";
# testing # testing
@ -71,13 +70,6 @@ in
PrivateMounts = lib.mkForce false; PrivateMounts = lib.mkForce false;
ProtectClock = lib.mkForce false; ProtectClock = lib.mkForce false;
ProtectControlGroups = lib.mkForce false; ProtectControlGroups = lib.mkForce false;
ProtectHostname = lib.mkForce false;
ProtectKernelLogs = lib.mkForce false;
ProtectKernelModules = lib.mkForce false;
ProtectKernelTunables = lib.mkForce false;
RestrictNamespaces = lib.mkForce false;
RestrictRealtime = lib.mkForce false;
RestrictSUIDSGID = lib.mkForce false;
}; };
}; };