nixos/clash: restrict tunMode further

works for me(tm)
2024-01-22 00:47:53 +08:00 · 2024-01-22 00:47:53 +08:00 · 0d6792fcfd
commit 0d6792fcfd
parent db3baf65c0
1 changed files with 2 additions and 2 deletions
--- a/nixos/modules/services/clash.nix
+++ b/nixos/modules/services/clash.nix
@ -95,8 +95,8 @@ in {
          UMask = "0077";
        }
        // lib.optionalAttrs cfg.tunMode {
-          AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_RAW";
-          CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW";
+          AmbientCapabilities = "CAP_NET_ADMIN";
+          CapabilityBoundingSet = "CAP_NET_ADMIN";
          PrivateDevices = false;
          PrivateUsers = false;
          RestrictAddressFamilies = "AF_INET AF_INET6 AF_NETLINK";