Merge pull request #49395 from dtzWill/update/upower-0.99.9

upower: 0.99.7 -> 0.99.9, lock down service
This commit is contained in:
xeji 2018-10-30 15:57:11 +01:00 committed by GitHub
commit 1d9481a127
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 29 additions and 3 deletions

View File

@ -56,6 +56,32 @@ in
{ Type = "dbus";
BusName = "org.freedesktop.UPower";
ExecStart = "@${cfg.package}/libexec/upowerd upowerd";
Restart = "on-failure";
# Upstream lockdown:
# Filesystem lockdown
ProtectSystem = "strict";
# Needed by keyboard backlight support
ProtectKernelTunables = false;
ProtectControlGroups = true;
ReadWritePaths = "/var/lib/upower";
ProtectHome = true;
PrivateTmp = true;
# Network
# PrivateNetwork=true would block udev's netlink socket
RestrictAddressFamilies = "AF_UNIX AF_NETLINK";
# Execute Mappings
MemoryDenyWriteExecute = true;
# Modules
ProtectKernelModules = true;
# Real-time
RestrictRealtime = true;
# Privilege escalation
NoNewPrivileges = true;
};
};

View File

@ -4,11 +4,11 @@
}:
stdenv.mkDerivation rec {
name = "upower-0.99.7";
name = "upower-0.99.9";
src = fetchurl {
url = "https://upower.freedesktop.org/releases/${name}.tar.xz";
sha256 = "00d4830yvg84brdhz4kn60lr3r8rn2y8gdbhmhxm78i5mgvc5g14";
url = https://gitlab.freedesktop.org/upower/upower/uploads/2282c7c0e53fb31816b824c9d1f547e8/upower-0.99.9.tar.xz;
sha256 = "046ix7j7hmb7ycv8v54668kjsrgjhzwxn299c1d87vdnkd38kfh1";
};
buildInputs =