Skip to content

clash-verge-rev: move IPC path to /run/clash-verge-rev/service.sock for better security#420530

Merged
symphorien merged 2 commits intoNixOS:masterfrom
Bot-wxt1221:clash-verge
Jul 7, 2025
Merged

clash-verge-rev: move IPC path to /run/clash-verge-rev/service.sock for better security#420530
symphorien merged 2 commits intoNixOS:masterfrom
Bot-wxt1221:clash-verge

Conversation

@Bot-wxt1221
Copy link
Member

@Bot-wxt1221 Bot-wxt1221 commented Jun 27, 2025
edited
Loading

move socket path to /run/clash-verge-rev/service.sock

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • Nixpkgs 25.11 Release Notes (or backporting 24.11 and 25.05 Nixpkgs Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
  • NixOS 25.11 Release Notes (or backporting 24.11 and 25.05 NixOS Release notes)
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other contributing documentation in corresponding paths.

Add a 👍 reaction to pull requests you find important.

@Bot-wxt1221 Bot-wxt1221 requested a review from Prince213 June 27, 2025 13:30
@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Jun 27, 2025
@Prince213
Copy link
Member

Prince213 commented Jun 27, 2025

Hi @Bot-wxt1221 can you rephrase your PR description?

Also, please describe what kind of operations are prevented for easier understanding of the significance of the PR.

@Bot-wxt1221
Copy link
Member Author

Bot-wxt1221 commented Jun 27, 2025

@Prince213 It's clear. This program will create IPC for other programs in userspace. This systemd harden options is typical.

@Prince213
Copy link
Member

Prince213 commented Jun 28, 2025

AF_UNIX and RestrictNamespaces is for creating IPC ProtectSystem=strict and ProtectTmp prevent it from operation under /tmp

ges please briefly describe the package or provide a link to its homepage.
-->

->

AF_UNIX and RestrictNamespaces is for creating IPC
ProtectSystem=strict and ProtectTmp prevent it from operation under /tmp

Also, https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html

if ProtectSystem= is set to "strict" and PrivateTmp= is enabled, then /tmp/ and /var/tmp/ will be writable

Does the program try to write to /tmp? If so shouldn't it be allowed to do that?

@Bot-wxt1221
Copy link
Member Author

Bot-wxt1221 commented Jun 28, 2025
edited
Loading

@Prince213 It place his IPC under /tmp. We need /tmp for everyone to read. Or we move it to another place.

@Prince213
Copy link
Member

Prince213 commented Jun 28, 2025
edited
Loading

What about we place this in /run with RuntimeDirectory?

https://0pointer.net/blog/projects/tmp.html

/run (traditionally /var/run) where privileged daemons can store runtime data, such as communication primitives. This is where your daemon should place its sockets.

@Prince213
Copy link
Member

Prince213 commented Jun 28, 2025

Issue has been filed upstream: clash-verge-rev/clash-verge-service#13

@Bot-wxt1221 Bot-wxt1221 changed the title nixos/clash-verge: remove some harden options because it is used now clash-verge-rev: move IPC path to /run/clash-verge-rev/service.sock for better security Jun 28, 2025
Prince213
Prince213 approved these changes Jul 5, 2025
View reviewed changes
Copy link
Member

@Prince213 Prince213 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Diff LGTM

@Prince213 Prince213 added the 12.approvals: 1 This PR was reviewed and approved by one person. label Jul 5, 2025
@symphorien symphorien merged commit e69f17b into NixOS:master Jul 7, 2025
27 of 28 checks passed
@Bot-wxt1221 Bot-wxt1221 mentioned this pull request Jul 9, 2025
Closed
3 tasks
@Bot-wxt1221 Bot-wxt1221 mentioned this pull request Feb 4, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Prince213 Prince213 Prince213 approved these changes

Assignees

No one assigned

Labels

6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 12.approvals: 1 This PR was reviewed and approved by one person.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Bot-wxt1221 @Prince213 @symphorien