Merge pull request #120620 from mweinelt/empty-capability-bounding-sets

nixos/{opendkim,rspamd}: Fix CapabilityBoundingSet option
2021-05-01 08:17:19 +02:00 · 2021-05-01 08:17:19 +02:00 · 85aef7706e
parent 3b07746b0a 6f358fa1d4
commit 85aef7706e
2 changed files with 2 additions and 2 deletions
--- a/nixos/modules/services/mail/opendkim.nix
+++ b/nixos/modules/services/mail/opendkim.nix
@ -134,7 +134,7 @@ in {
        ReadWritePaths = [ cfg.keyPath ];

        AmbientCapabilities = [];
-        CapabilityBoundingSet = [];
+        CapabilityBoundingSet = "";
        DevicePolicy = "closed";
        LockPersonality = true;
        MemoryDenyWriteExecute = true;
--- a/nixos/modules/services/mail/rspamd.nix
+++ b/nixos/modules/services/mail/rspamd.nix
@ -410,7 +410,7 @@ in
        StateDirectoryMode = "0700";

        AmbientCapabilities = [];
-        CapabilityBoundingSet = [];
+        CapabilityBoundingSet = "";
        DevicePolicy = "closed";
        LockPersonality = true;
        NoNewPrivileges = true;