kyle/imladris
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Disable ProtectHome for mcp-agent (blocks /run/user for podman)

Browse Source
This commit is contained in:
Kyle Isom
2026-03-26 14:40:54 -07:00
parent 7f0a978e86
commit e7d244c606
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
configs/mcp.nix
View File

@@ -43,7 +43,9 @@ in
NoNewPrivileges = true; NoNewPrivileges = true;
ProtectSystem = "full"; # "strict" blocks /run/user; "full" protects /usr and /boot ProtectSystem = "full"; # "strict" blocks /run/user; "full" protects /usr and /boot
ProtectHome = true; # ProtectHome makes /run/user inaccessible, which breaks rootless podman.
# The agent's home is /srv/mcp (not /home), so this is acceptable.
ProtectHome = false;
PrivateTmp = true; PrivateTmp = true;
PrivateDevices = true; PrivateDevices = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;