From 4b5d9e4a0d2200435ca8611047d57a267e8d9749 Mon Sep 17 00:00:00 2001
From: wxt <3264117476@qq.com>
Date: Sat, 28 Jun 2025 14:38:46 +0800
Subject: [PATCH] nixos/clash-verge: move IPC path to
 /run/clash-verge-rev/service.sock for better security

---
 nixos/modules/programs/clash-verge.nix | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/programs/clash-verge.nix b/nixos/modules/programs/clash-verge.nix
index 13a079864eca..863279fefe52 100644
--- a/nixos/modules/programs/clash-verge.nix
+++ b/nixos/modules/programs/clash-verge.nix
@@ -68,12 +68,13 @@
           ProtectControlGroups = true;
           LockPersonality = true;
           RestrictRealtime = true;
+          RuntimeDirectory = "clash-verge-rev";
           ProtectClock = true;
           MemoryDenyWriteExecute = true;
           RestrictSUIDSGID = true;
-          RestrictNamespaces = [ "~user cgroup ipc mnt uts" ];
+          RestrictNamespaces = [ "~user cgroup mnt uts" ];
           RestrictAddressFamilies = [
-            "AF_INET AF_INET6 AF_NETLINK AF_PACKET AF_RAW"
+            "AF_INET AF_INET6 AF_NETLINK AF_PACKET AF_UNIX"
           ];
           CapabilityBoundingSet = [
             "CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SETUID CAP_SETGID CAP_CHOWN CAP_MKNOD"