public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Setuid wrapper should not be constrained to a specific linux kernel version

Browse Source
This commit is contained in:
Parnell Springmeyer 2017-01-26 09:39:37 -08:00
parent 01e6b82f3f
commit 9de070e620
No known key found for this signature in database
GPG Key ID: DCCF89258EAD874A
2 changed files with 0 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
nixos/modules/security/permissions-wrappers/default.nix
View File

@ -92,13 +92,6 @@ in
capabilities!! This may be too restrictive for cases in which capabilities!! This may be too restrictive for cases in which
the real program needs cap_setpcap but it at least leans on the real program needs cap_setpcap but it at least leans on
the side security paranoid vs. too relaxed. the side security paranoid vs. too relaxed.
The attribute `setcap` defaults to false and it will create a
wrapper program but never set the capability set on it. This
is done so that you can remove a capability sent entirely from
a wrapper program without also needing to go change any
absolute paths that may be directly referencing the wrapper
program.
''; '';
}; };

1
nixos/modules/security/permissions-wrappers/setuid-wrapper-drv.nix
View File

@ -21,7 +21,6 @@ in
# This is only useful for Linux platforms and a kernel version of # This is only useful for Linux platforms and a kernel version of
# 4.3 or greater # 4.3 or greater
assert pkgs.stdenv.isLinux; assert pkgs.stdenv.isLinux;
assert lib.versionAtLeast (lib.getVersion config.boot.kernelPackages.kernel) "4.3";
pkgs.stdenv.mkDerivation { pkgs.stdenv.mkDerivation {
name = "setuid-wrapper"; name = "setuid-wrapper";