work with caps

2024-10-01 15:52:20 +03:00 · 2024-10-01 15:52:20 +03:00 · 6b02aec518
parent 4b896109de
commit 6b02aec518
2 changed files with 14 additions and 9 deletions
--- a/hosts/mtworx/configuration.nix
+++ b/hosts/mtworx/configuration.nix
@ -186,12 +186,15 @@ in
    groups.mount-test = { };
  };

+  systemd.tmpfiles.rules = [ "d /data 0755 root root -" ];
+
  systemd.services.mount-test = {
    after = [ "network.target" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      RuntimeDirectory = "mount-test";
-      BindPaths = [ "/home/motiejus/x:/var/run/mount-test/x" ];
+      TemporaryFileSystem = "/data";
+      BindPaths = [ "/home/motiejus/x:/var/run/mount-test/bind-paths/x" ];
      PrivateDevices = false;

      Type = "simple";
@ -217,6 +220,7 @@ in
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
+      CapabilityBoundingSet = lib.mkForce "CAP_SYS_ADMIN | CAP_SETUID | CAP_SETGID";

      User = "mount-test";
      Group = "mount-test";
@ -231,12 +235,13 @@ in
            ];
            text = ''
              set -x
-              mkdir -p /var/run/mount-test/inner
-              bindfs -u motiejus -g users /var/run/mount-test/x /var/run/mount-test/inner
-              exec setpriv \
-                --ruid mount-test \
-                --inh-caps -sys_admin,-setuid,-setgid \
-                touch /var/run/mount-test/inner/foo
+              mkdir -p /data/x
+              bindfs -d -u motiejus -g users /var/run/mount-test/bind-paths/x /data/x &
+              sleep 1
+              #exec setpriv \
+              #  --ruid mount-test \
+              #  --inh-caps -sys_admin,-setuid,-setgid \
+              touch /data/x/foo
            '';
          }
        ));
--- a/modules/services/immich/default.nix
+++ b/modules/services/immich/default.nix
@ -27,7 +27,7 @@ let
      }
      exec setpriv \
        --ruid ${immich-user} \
-        --inh-caps -sys_admin,-setuid,-setgid \
+        --inh-caps -all \
        ${lib.getExe immich-package}
    '';
  };
@ -61,7 +61,7 @@ in
          name: srcpath: "${srcpath}:/var/run/immich/bind-paths/${name}"
        ) cfg.bindPaths;
        PrivateDevices = lib.mkForce false; # /dev/fuse
-        CapabilityBoundingSet = lib.mkForce "CAP_SYS_ADMIN | CAP_SETUID | CAP_SETGID";
+        CapabilityBoundingSet = lib.mkForce "~";
        ExecStart = lib.mkForce ("!" + (lib.getExe startScript));
        PrivateUsers = lib.mkForce false; # bindfs fails otherwise
      };