From 3a9609613d1c98d03ec8fe3235a6aff3d3d2da21 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sun, 25 Apr 2021 20:24:07 +0200 Subject: [PATCH] nixos/opendkim: Fix CapabilityBoundingSet option An empty list results in no CapabilityBoundingSet at all, an empty string however will set `CapabilityBoundingSet=`, which represents a closed set. Related: #120617 --- nixos/modules/services/mail/opendkim.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/services/mail/opendkim.nix b/nixos/modules/services/mail/opendkim.nix index 9bf6f338d93e..beff57613afc 100644 --- a/nixos/modules/services/mail/opendkim.nix +++ b/nixos/modules/services/mail/opendkim.nix @@ -134,7 +134,7 @@ in { ReadWritePaths = [ cfg.keyPath ]; AmbientCapabilities = []; - CapabilityBoundingSet = []; + CapabilityBoundingSet = ""; DevicePolicy = "closed"; LockPersonality = true; MemoryDenyWriteExecute = true;