Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
nixos-containers: Set DevicePolicy=closed
This makes the container a bit more secure, by preventing root creating device nodes to access the host file system, for instance. (Reference: systemd-nspawn@.service in systemd.)
- Loading branch information
fd5bbdb
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe related to systemd/container changes: the tests are failing now with
command
test ! -e /var/lib/containers/foo' did not succeed (exit code 1)`http://hydra.nixos.org/build/38127048/nixlog/16/raw