security(lamassu): re-enable sandboxing for build service
Some checks failed
nix-bitcoin tests / build_test_drivers (push) Has been cancelled
nix-bitcoin tests / check_flake (push) Has been cancelled
nix-bitcoin tests / test_scenario (default) (push) Has been cancelled
nix-bitcoin tests / test_scenario (joinmarket-bitcoind-29) (push) Has been cancelled
nix-bitcoin tests / test_scenario (netns) (push) Has been cancelled
nix-bitcoin tests / test_scenario (netnsRegtest) (push) Has been cancelled
Some checks failed
nix-bitcoin tests / build_test_drivers (push) Has been cancelled
nix-bitcoin tests / check_flake (push) Has been cancelled
nix-bitcoin tests / test_scenario (default) (push) Has been cancelled
nix-bitcoin tests / test_scenario (joinmarket-bitcoind-29) (push) Has been cancelled
nix-bitcoin tests / test_scenario (netns) (push) Has been cancelled
nix-bitcoin tests / test_scenario (netnsRegtest) (push) Has been cancelled
The build service only needs write access to the data directory. Re-enable ProtectSystem, ProtectHome, NoNewPrivileges with ReadWritePaths to allow writes to /var/lib/lamassu-server. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Patrick Mulligan
parent
04f008d1cf
commit
3d45dcadbd
1 changed files with 5 additions and 5 deletions
|
|
@ -281,11 +281,11 @@ in
|
||||||
TimeoutStartSec = "30min";
|
TimeoutStartSec = "30min";
|
||||||
KillMode = "process";
|
KillMode = "process";
|
||||||
KillSignal = "SIGTERM";
|
KillSignal = "SIGTERM";
|
||||||
# Disable sandboxing for build
|
# Sandboxing with write access to data directory
|
||||||
PrivateTmp = false;
|
ProtectSystem = "strict";
|
||||||
ProtectSystem = false;
|
ProtectHome = true;
|
||||||
ProtectHome = false;
|
NoNewPrivileges = true;
|
||||||
NoNewPrivileges = false;
|
ReadWritePaths = [ cfg.dataDir ];
|
||||||
};
|
};
|
||||||
|
|
||||||
script = ''
|
script = ''
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue