Always run nosuid after dropping privs - mrrl-system-config

commit 7ce6de0ff3b5ebdb4172b73ef910aa572ed83f5b
parent 111d53a08891c6d23cb4d5eee9af27cd2895f9ab
Author: ccx <ccx@te2000.cz>
Date:   Tue, 12 Mar 2024 01:17:22 +0000

Always run nosuid after dropping privs

Diffstat:
M s6-rc.aat  | 4 ++++

1 file changed, 4 insertions(+), 0 deletions(-)
diff --git a/s6-rc.aat b/s6-rc.aat
@@ -279,6 +279,7 @@
 	if { chown {<u.name>}: /run/user/{<u.id>}.logs }
 	if { chmod 700 /run/user/{<u.id>}.logs }
 	s6-setuidgid {<u.name>}
+	nosuid
 	s6-log -- t /run/user/{<u.id>}.logs
 |end()
 
@@ -292,6 +293,7 @@
 	if { chown {<u.name>}: /run/user/{<u.id>} }
 	if { chmod 700 /run/user/{<u.id>} }
 	s6-setuidgid {<u.name>}
+	nosuid
 	if { mkdir -p /run/user/{<u.id>}/service }
 	s6-svscan -d 3 /run/user/{<u.id>}/service
 |end()
@@ -303,6 +305,7 @@
 |run_el()
 	/usr/bin/env HOME=/var/lib/syncthing
 	s6-setuidgid syncthing
+	nosuid
 	syncthing -logflags 0
 |end()
 
@@ -377,6 +380,7 @@ CN	#!{{env_el("containers")}} -P
 	redirfd -w 1 /dev/tty${vtN}
 	s6-setsid
 	s6-setuidgid xorg
+	nosuid
 	Xorg
 	  -displayfd 5
 	  -nolisten local

	mrrl-system-config system configuration on top of MRRL
	git clone https://ccx.te2000.cz/git/mrrl-system-config
	Log \| Files \| Refs