Merge pull request #108028 from Mic92/confinment
systemd-confinement: use /var/empty as chroot mountpoint
This commit is contained in:
commit
8737aa9311
|
@ -105,7 +105,7 @@ in {
|
||||||
wantsAPIVFS = lib.mkDefault (config.confinement.mode == "full-apivfs");
|
wantsAPIVFS = lib.mkDefault (config.confinement.mode == "full-apivfs");
|
||||||
in lib.mkIf config.confinement.enable {
|
in lib.mkIf config.confinement.enable {
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
RootDirectory = pkgs.runCommand rootName {} "mkdir \"$out\"";
|
RootDirectory = "/var/empty";
|
||||||
TemporaryFileSystem = "/";
|
TemporaryFileSystem = "/";
|
||||||
PrivateMounts = lib.mkDefault true;
|
PrivateMounts = lib.mkDefault true;
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue