nixos/clash-verge: move IPC path to /run/clash-verge-rev/service.sock for better security

2025-06-28 14:38:46 +08:00 · 2025-06-28 14:38:46 +08:00 · 4b5d9e4a0d
commit 4b5d9e4a0d
parent b222541e31
1 changed files with 3 additions and 2 deletions
--- a/nixos/modules/programs/clash-verge.nix
+++ b/nixos/modules/programs/clash-verge.nix
@ -68,12 +68,13 @@
          ProtectControlGroups = true;
          LockPersonality = true;
          RestrictRealtime = true;
+          RuntimeDirectory = "clash-verge-rev";
          ProtectClock = true;
          MemoryDenyWriteExecute = true;
          RestrictSUIDSGID = true;
-          RestrictNamespaces = [ "~user cgroup ipc mnt uts" ];
+          RestrictNamespaces = [ "~user cgroup mnt uts" ];
          RestrictAddressFamilies = [
-            "AF_INET AF_INET6 AF_NETLINK AF_PACKET AF_RAW"
+            "AF_INET AF_INET6 AF_NETLINK AF_PACKET AF_UNIX"
          ];
          CapabilityBoundingSet = [
            "CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SETUID CAP_SETGID CAP_CHOWN CAP_MKNOD"