talexander/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Releases Activity

nixos/clash-verge: move IPC path to /run/clash-verge-rev/service.sock for better security

Browse Source
This commit is contained in:
wxt 2025-06-28 14:38:46 +08:00
parent b222541e31
commit 4b5d9e4a0d
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
nixos/modules/programs/clash-verge.nix
View File

@ -68,12 +68,13 @@
ProtectControlGroups = true; ProtectControlGroups = true;
LockPersonality = true; LockPersonality = true;
RestrictRealtime = true; RestrictRealtime = true;
RuntimeDirectory = "clash-verge-rev";
ProtectClock = true; ProtectClock = true;
MemoryDenyWriteExecute = true; MemoryDenyWriteExecute = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
RestrictNamespaces = [ "~user cgroup ipc mnt uts" ]; RestrictNamespaces = [ "~user cgroup mnt uts" ];
RestrictAddressFamilies = [ RestrictAddressFamilies = [
"AF_INET AF_INET6 AF_NETLINK AF_PACKET AF_RAW" "AF_INET AF_INET6 AF_NETLINK AF_PACKET AF_UNIX"
]; ];
CapabilityBoundingSet = [ CapabilityBoundingSet = [
"CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SETUID CAP_SETGID CAP_CHOWN CAP_MKNOD" "CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SETUID CAP_SETGID CAP_CHOWN CAP_MKNOD"