nixos/security/wrappers: clarify required format for capabilities

Before this change, the description for
security.wrappers.<name>.capabilities made it seem like you could just
string together the names of capabilities like this:

  capabilities = "CAP_SETUID,CAP_SETGID";

In reality, each item in the list must be a full-on capability clause:

  capabilities = "CAP_SETUID=ep,CAP_SETGID+i";
This commit is contained in:
Jason Yundt 2022-09-08 17:58:10 -04:00 committed by Bjørn Forsman
parent 4886df0aea
commit 17352e8995

View file

@ -52,10 +52,11 @@ let
{ type = lib.types.commas;
default = "";
description = lib.mdDoc ''
A comma-separated list of capabilities to be given to the wrapper
program. For capabilities supported by the system check the
{manpage}`capabilities(7)`
manual page.
A comma-separated list of capability clauses to be given to the
wrapper program. The format for capability clauses is described in the
TEXTUAL REPRESENTATION section of the {manpage}`cap_from_text(3)`
manual page. For a list of capabilities supported by the system, check
the {manpage}`capabilities(7)` manual page.
::: {.note}
`cap_setpcap`, which is required for the wrapper