nyancat/flake
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

nixos/clash: restrict tunMode further

Browse source 
works for me(tm)
This commit is contained in:
Guanran Wang 2024-01-22 00:47:53 +08:00
parent db3baf65c0
commit 0d6792fcfd
Signed by: nyancat
SSH key fingerprint: SHA256:8oWGKciPALWut/6WA27oFKofX+6Wtc0gQnsefXLQx/8
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
nixos/modules/services/clash.nix
View file

@ -95,8 +95,8 @@ in {
UMask = "0077"; UMask = "0077";
} }
// lib.optionalAttrs cfg.tunMode { // lib.optionalAttrs cfg.tunMode {
AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_RAW"; AmbientCapabilities = "CAP_NET_ADMIN";
CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW"; CapabilityBoundingSet = "CAP_NET_ADMIN";
PrivateDevices = false; PrivateDevices = false;
PrivateUsers = false; PrivateUsers = false;
RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK"; RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK";