fix(systemd): add ReadWritePaths for /etc/hosts

Signed-off-by: Adam Rizkalla <ajarizzo@gmail.com>
2025-09-26 21:01:14 +08:00 · 2025-03-01 23:28:09 +00:00
parent e073af34ab
commit b798180358
2 changed files with 5 additions and 1 deletions
--- a/etc/systemd/cunicu.service
+++ b/etc/systemd/cunicu.service
@@ -46,6 +46,7 @@ ProtectKernelLogs=yes
 ProtectKernelTunables=yes
 ProtectProc=invisible
 ProtectSystem=strict
+ReadWritePaths=-/etc/hosts
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
 RestrictNamespaces=yes
 RestrictRealtime=yes
@@ -55,4 +56,4 @@ SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native

 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target
--- a/nix/module.nix
+++ b/nix/module.nix
@@ -154,6 +154,9 @@ in
            ProtectKernelTunables = true;
            ProtectProc = "invisible";
            ProtectSystem = "strict";
+            ReadWritePaths = [
+              "-/etc/hosts"
+            ];
            RestrictAddressFamilies = [
              "AF_UNIX"
              "AF_INET"