work with caps

This commit is contained in:
Motiejus Jakštys 2024-10-01 15:52:20 +03:00
parent 4b896109de
commit 6b02aec518
2 changed files with 14 additions and 9 deletions

View File

@ -186,12 +186,15 @@ in
groups.mount-test = { }; groups.mount-test = { };
}; };
systemd.tmpfiles.rules = [ "d /data 0755 root root -" ];
systemd.services.mount-test = { systemd.services.mount-test = {
after = [ "network.target" ]; after = [ "network.target" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
serviceConfig = { serviceConfig = {
RuntimeDirectory = "mount-test"; RuntimeDirectory = "mount-test";
BindPaths = [ "/home/motiejus/x:/var/run/mount-test/x" ]; TemporaryFileSystem = "/data";
BindPaths = [ "/home/motiejus/x:/var/run/mount-test/bind-paths/x" ];
PrivateDevices = false; PrivateDevices = false;
Type = "simple"; Type = "simple";
@ -217,6 +220,7 @@ in
RestrictNamespaces = true; RestrictNamespaces = true;
RestrictRealtime = true; RestrictRealtime = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
CapabilityBoundingSet = lib.mkForce "CAP_SYS_ADMIN | CAP_SETUID | CAP_SETGID";
User = "mount-test"; User = "mount-test";
Group = "mount-test"; Group = "mount-test";
@ -231,12 +235,13 @@ in
]; ];
text = '' text = ''
set -x set -x
mkdir -p /var/run/mount-test/inner mkdir -p /data/x
bindfs -u motiejus -g users /var/run/mount-test/x /var/run/mount-test/inner bindfs -d -u motiejus -g users /var/run/mount-test/bind-paths/x /data/x &
exec setpriv \ sleep 1
--ruid mount-test \ #exec setpriv \
--inh-caps -sys_admin,-setuid,-setgid \ # --ruid mount-test \
touch /var/run/mount-test/inner/foo # --inh-caps -sys_admin,-setuid,-setgid \
touch /data/x/foo
''; '';
} }
)); ));

View File

@ -27,7 +27,7 @@ let
} }
exec setpriv \ exec setpriv \
--ruid ${immich-user} \ --ruid ${immich-user} \
--inh-caps -sys_admin,-setuid,-setgid \ --inh-caps -all \
${lib.getExe immich-package} ${lib.getExe immich-package}
''; '';
}; };
@ -61,7 +61,7 @@ in
name: srcpath: "${srcpath}:/var/run/immich/bind-paths/${name}" name: srcpath: "${srcpath}:/var/run/immich/bind-paths/${name}"
) cfg.bindPaths; ) cfg.bindPaths;
PrivateDevices = lib.mkForce false; # /dev/fuse PrivateDevices = lib.mkForce false; # /dev/fuse
CapabilityBoundingSet = lib.mkForce "CAP_SYS_ADMIN | CAP_SETUID | CAP_SETGID"; CapabilityBoundingSet = lib.mkForce "~";
ExecStart = lib.mkForce ("!" + (lib.getExe startScript)); ExecStart = lib.mkForce ("!" + (lib.getExe startScript));
PrivateUsers = lib.mkForce false; # bindfs fails otherwise PrivateUsers = lib.mkForce false; # bindfs fails otherwise
}; };