mirror of
https://github.com/ilyakooo0/nixpkgs.git
synced 2024-12-24 20:02:58 +03:00
unbound service: some pre-chroot isolation
While entering the chroot should provide the same amount of isolation, the preStart script will run with full root privileges and so would benefit from some isolation as well (in particular due to unbound-anchor, which can perform network I/O).
This commit is contained in:
parent
39f5182a30
commit
5dc60051fa
@ -122,6 +122,10 @@ in
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.unbound}/bin/unbound -d -c ${stateDir}/unbound.conf";
|
||||
ExecStopPost="${pkgs.utillinux}/bin/umount ${stateDir}/dev/random";
|
||||
|
||||
ProtectSystem = true;
|
||||
ProtectHome = true;
|
||||
PrivateDevices = true;
|
||||
};
|
||||
};
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user