security(lamassu): re-enable sandboxing for build service
Some checks failed
nix-bitcoin tests / build_test_drivers (push) Has been cancelled
nix-bitcoin tests / check_flake (push) Has been cancelled
nix-bitcoin tests / test_scenario (default) (push) Has been cancelled
nix-bitcoin tests / test_scenario (joinmarket-bitcoind-29) (push) Has been cancelled
nix-bitcoin tests / test_scenario (netns) (push) Has been cancelled
nix-bitcoin tests / test_scenario (netnsRegtest) (push) Has been cancelled
Some checks failed
nix-bitcoin tests / build_test_drivers (push) Has been cancelled
nix-bitcoin tests / check_flake (push) Has been cancelled
nix-bitcoin tests / test_scenario (default) (push) Has been cancelled
nix-bitcoin tests / test_scenario (joinmarket-bitcoind-29) (push) Has been cancelled
nix-bitcoin tests / test_scenario (netns) (push) Has been cancelled
nix-bitcoin tests / test_scenario (netnsRegtest) (push) Has been cancelled
The build service only needs write access to the data directory. Re-enable ProtectSystem, ProtectHome, NoNewPrivileges with ReadWritePaths to allow writes to /var/lib/lamassu-server. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Patrick Mulligan
parent
04f008d1cf
commit
3d45dcadbd
1 changed files with 5 additions and 5 deletions
|
|
@ -281,11 +281,11 @@ in
|
|||
TimeoutStartSec = "30min";
|
||||
KillMode = "process";
|
||||
KillSignal = "SIGTERM";
|
||||
# Disable sandboxing for build
|
||||
PrivateTmp = false;
|
||||
ProtectSystem = false;
|
||||
ProtectHome = false;
|
||||
NoNewPrivileges = false;
|
||||
# Sandboxing with write access to data directory
|
||||
ProtectSystem = "strict";
|
||||
ProtectHome = true;
|
||||
NoNewPrivileges = true;
|
||||
ReadWritePaths = [ cfg.dataDir ];
|
||||
};
|
||||
|
||||
script = ''
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue