From f98011803ebbe7e68e2133a3405d4928f3c274c7 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sun, 4 Sep 2022 16:14:17 +0200 Subject: [PATCH] nixos/paperless: Restrict CAP_NET_BIND_SERVICE Handing CAP_NET_BIND_SERVICE to the `paperless-web.service` only makes sense when it actually wants to bind to a port < 1024. Don't hand it out if that is not the case. --- nixos/modules/services/misc/paperless.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/nixos/modules/services/misc/paperless.nix b/nixos/modules/services/misc/paperless.nix index 9e554b93fc82..b1cf72258d17 100644 --- a/nixos/modules/services/misc/paperless.nix +++ b/nixos/modules/services/misc/paperless.nix @@ -286,12 +286,13 @@ in ''; Restart = "on-failure"; - AmbientCapabilities = "CAP_NET_BIND_SERVICE"; - CapabilityBoundingSet = "CAP_NET_BIND_SERVICE"; # gunicorn needs setuid, liblapack needs mbind SystemCallFilter = defaultServiceConfig.SystemCallFilter ++ [ "@setuid mbind" ]; # Needs to serve web page PrivateNetwork = false; + } // lib.optionalAttrs (cfg.port < 1024) { + AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; + CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; }; environment = env // { PATH = mkForce cfg.package.path;