Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

keyd: run systemd service as root user not dynamic #226490

Closed
wants to merge 2 commits into from
Closed

keyd: run systemd service as root user not dynamic #226490

wants to merge 2 commits into from

Conversation

woojiq
Copy link
Contributor

@woojiq woojiq commented Apr 16, 2023
edited
Loading

Description of changes

Fixes #226346

Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 23.05 Release Notes (or backporting 22.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Apr 16, 2023
@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 labels Apr 16, 2023
@woojiq woojiq marked this pull request as draft April 17, 2023 05:59
@woojiq woojiq marked this pull request as ready for review May 15, 2023 08:46
@woojiq
Copy link
Contributor Author

woojiq commented May 15, 2023

cc @pennae, would you mind checking the PR?

pennae
pennae requested changes May 15, 2023
View reviewed changes
Copy link
Contributor

@pennae pennae left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not terribly enthused about having to run this as root, but if that's the only way it works properly then so be it. we should add a few more hardenings though, many of which are implied by DynamicUser:

  • NoNewPrivileges
  • RestrictNamespaces
  • RestrictSUIDSGID
  • PrivateTmp
  • RemoveIPC
  • SystemCallFilter!
  • RestrictAddressFamilies for all families (probably, does keyd need any networking?)
  • PrivateNetwork (same as above, extra layer of defense)

@woojiq woojiq closed this May 15, 2023
@woojiq
Copy link
Contributor Author

woojiq commented May 15, 2023

@pennae I messed up the git a bit so I created a new PR with the changes: #232029

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pennae pennae pennae requested changes

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

keyd only remaps laptop keyboard
3 participants
@woojiq @pennae @fabaff