From 3a9609613d1c98d03ec8fe3235a6aff3d3d2da21 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sun, 25 Apr 2021 20:24:07 +0200 Subject: [PATCH 1/2] nixos/opendkim: Fix CapabilityBoundingSet option An empty list results in no CapabilityBoundingSet at all, an empty string however will set `CapabilityBoundingSet=`, which represents a closed set. Related: #120617 --- nixos/modules/services/mail/opendkim.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/services/mail/opendkim.nix b/nixos/modules/services/mail/opendkim.nix index 9bf6f338d93e..beff57613afc 100644 --- a/nixos/modules/services/mail/opendkim.nix +++ b/nixos/modules/services/mail/opendkim.nix @@ -134,7 +134,7 @@ in { ReadWritePaths = [ cfg.keyPath ]; AmbientCapabilities = []; - CapabilityBoundingSet = []; + CapabilityBoundingSet = ""; DevicePolicy = "closed"; LockPersonality = true; MemoryDenyWriteExecute = true; From 6f358fa1d48d162b529635b7e137ea562b236621 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sun, 25 Apr 2021 20:26:22 +0200 Subject: [PATCH 2/2] nixos/rspamd: Fix CapabilityBoundingSet option An empty list results in no CapabilityBoundingSet at all, an empty string however will set `CapabilityBoundingSet=`, which represents a closed set. Related: #120617 --- nixos/modules/services/mail/rspamd.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/services/mail/rspamd.nix b/nixos/modules/services/mail/rspamd.nix index 2f9d28195bd8..473ddd52357d 100644 --- a/nixos/modules/services/mail/rspamd.nix +++ b/nixos/modules/services/mail/rspamd.nix @@ -410,7 +410,7 @@ in StateDirectoryMode = "0700"; AmbientCapabilities = []; - CapabilityBoundingSet = []; + CapabilityBoundingSet = ""; DevicePolicy = "closed"; LockPersonality = true; NoNewPrivileges = true;