Skip to content

Commit

Permalink
nixos-containers: Set DevicePolicy=closed
Browse files Browse the repository at this point in the history 
This makes the container a bit more secure, by preventing root
creating device nodes to access the host file system, for
instance. (Reference: systemd-nspawn@.service in systemd.)
  • Loading branch information
@edolstra
edolstra committed Jul 28, 2016
1 parent bf3edfb commit fd5bbdb
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions nixos/modules/virtualisation/containers.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -415,6 +415,8 @@ in
# after the timeout). So send an ignored signal.
KillMode = "mixed";
KillSignal = "WINCH";

DevicePolicy = "closed";
};
};
in {
Expand Down

1 comment on commit fd5bbdb

@vcunat
Copy link
Member

@vcunat vcunat commented on fd5bbdb Jul 29, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe related to systemd/container changes: the tests are failing now with
command test ! -e /var/lib/containers/foo' did not succeed (exit code 1)`
http://hydra.nixos.org/build/38127048/nixlog/16/raw

Please sign in to comment.