kyle/imladris
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Relax mcp-agent sandbox for rootless podman compatibility

Browse Source
This commit is contained in:
Kyle Isom
2026-03-26 14:34:50 -07:00
parent bac757c22e
commit 7f0a978e86
1 changed files with 2 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
configs/mcp.nix
View File

@@ -42,22 +42,16 @@ in
]; ];
NoNewPrivileges = true; NoNewPrivileges = true;
ProtectSystem = "strict"; ProtectSystem = "full"; # "strict" blocks /run/user; "full" protects /usr and /boot
ProtectHome = true; ProtectHome = true;
PrivateTmp = true; PrivateTmp = true;
PrivateDevices = true; PrivateDevices = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;
ProtectKernelModules = true; ProtectKernelModules = true;
ProtectControlGroups = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
RestrictNamespaces = true;
LockPersonality = true; LockPersonality = true;
MemoryDenyWriteExecute = true;
RestrictRealtime = true; RestrictRealtime = true;
ReadWritePaths = [ ReadWritePaths = [ "/srv" ];
"/srv"
"/run/user/${toString mcpUid}"
];
}; };
}; };
} }