b12f/nixpkgs
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Merge pull request #108028 from Mic92/confinment

Browse source 
systemd-confinement: use /var/empty as chroot mountpoint
This commit is contained in:
Jörg Thalheim 2021-07-01 07:09:27 +01:00 committed by GitHub
parent cd687af9f4 e12188c0f2
commit 8737aa9311
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
nixos/modules/security/systemd-confinement.nix
View file

@ -105,7 +105,7 @@ in {
wantsAPIVFS = lib.mkDefault (config.confinement.mode == "full-apivfs");
in lib.mkIf config.confinement.enable {
serviceConfig = {
RootDirectory = pkgs.runCommand rootName {} "mkdir \"$out\"";
RootDirectory = "/var/empty";
TemporaryFileSystem = "/";
PrivateMounts = lib.mkDefault true;