nixos/logrotate: relax hardening (#345275)

mweinelt · web-flow · commit 6710d0dd013f · 2024-09-29T16:24:34.000+02:00
diff --git a/nixos/modules/services/logging/logrotate.nix b/nixos/modules/services/logging/logrotate.nix
@@ -260,6 +260,8 @@ in
         # hardening
         CapabilityBoundingSet = [
           "CAP_CHOWN"
+          "CAP_DAC_OVERRIDE"
+          "CAP_SETUID"
           "CAP_SETGID"
         ];
         DevicePolicy = "closed";
@@ -280,16 +282,16 @@ in
         ProtectSystem = "full";
         RestrictNamespaces = true;
         RestrictRealtime = true;
-        RestrictSUIDSGID = true;
+        RestrictSUIDSGID = false; # can create sgid directories
         SystemCallArchitectures = "native";
         SystemCallFilter = [
-          "@system-service"
+          "@system-service @setuid"
           "~@privileged @resources"
           "@chown"
         ];
         UMask = "0027";
       } // lib.optionalAttrs (!cfg.allowNetworking) {
-        PrivateNetwork = true;
+        PrivateNetwork = true; # e.g. mail delivery
         RestrictAddressFamilies = "none";
       };
     };
