tailscale: apply basic systemd hardening (#306241)

https://github.com/tailscale/tailscale/issues/77
2024-05-02 21:18:58 +08:00 · 2024-05-02 21:18:58 +08:00 · b247c414c4
commit b247c414c4
parent f9388726e7
1 changed files with 10 additions and 0 deletions
--- a/pkgs/servers/tailscale/default.nix
+++ b/pkgs/servers/tailscale/default.nix
@ -9,6 +9,7 @@
 , shadow
 , procps
 , nixosTests
+, fetchpatch
 }:

 let
@ -26,6 +27,15 @@ buildGoModule {
  };
  vendorHash = "sha256-pYeHqYd2cCOVQlD1r2lh//KC+732H0lj1fPDBr+W8qA=";

+  patches = [
+    # Reverts "cmd/tailscaled/tailscaled.service: revert recent hardening"
+    (fetchpatch {
+      url = "https://github.com/tailscale/tailscale/commit/2889fabaefc50040507ead652d6d2b212f476c2b.patch";
+      hash = "sha256-DPBrv7kjSVXhmptUGGzOkaP4iXi/Bym3lvqy4otL9HE=";
+      revert = true;
+    })
+  ];
+
  nativeBuildInputs = lib.optionals stdenv.isLinux [ makeWrapper ];

  CGO_ENABLED = 0;