Skip to content

Commit

Permalink
log when mox root process cannot forward signals to unprivileged child
Browse files Browse the repository at this point in the history 
and give the mox.service permissions to send such signals.
  • Loading branch information
@mjl-
mjl- committed Nov 21, 2024
1 parent 3d4cd00 commit 32d4e9a
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 3 deletions.
7 changes: 5 additions & 2 deletions mox-/forkexec_unix.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,8 +59,11 @@ func ForkExecUnprivileged() {
sigc := make(chan os.Signal, 1)
signal.Notify(sigc, os.Interrupt, syscall.SIGTERM)
go func() {
sig := <-sigc
p.Signal(sig)
for {
sig := <-sigc
err := p.Signal(sig)
pkglog.Check(err, "forwarding signal root to unprivileged process")
}
}()

st, err := p.Wait()
Expand Down
2 changes: 1 addition & 1 deletion mox.service
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ ReadWritePaths=/home/mox/config /home/mox/data
ProtectKernelTunables=yes
ProtectControlGroups=yes
AmbientCapabilities=
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_CHOWN CAP_FSETID CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_CHOWN CAP_FSETID CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_KILL
NoNewPrivileges=yes
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
ProtectProc=invisible
Expand Down

0 comments on commit 32d4e9a

Please sign in to comment.