diff --git a/assets/systemd/muscl.service b/assets/systemd/muscl.service index 007bba3..750c7b8 100644 --- a/assets/systemd/muscl.service +++ b/assets/systemd/muscl.service @@ -4,7 +4,7 @@ Requires=muscl.socket [Service] Type=notify -ExecStart=/usr/bin/muscl server --systemd socket-activate +ExecStart=/usr/bin/muscl server --systemd --disable-landlock socket-activate ExecReload=/usr/bin/kill -HUP $MAINPID WatchdogSec=15 diff --git a/nix/module.nix b/nix/module.nix index de37a2a..612e810 100644 --- a/nix/module.nix +++ b/nix/module.nix @@ -116,7 +116,7 @@ in serviceConfig = { ExecStart = [ "" - "${lib.getExe cfg.package} ${cfg.logLevel} server --systemd socket-activate" + "${lib.getExe cfg.package} ${cfg.logLevel} server --systemd --disable-landlock socket-activate" ]; ExecReload = [ diff --git a/src/main.rs b/src/main.rs index 190e6eb..9633db7 100644 --- a/src/main.rs +++ b/src/main.rs @@ -147,8 +147,10 @@ fn handle_server_command(args: &Args) -> anyhow::Result> { "The executable should not be SUID or SGID when running the server manually" ); - landlock_restrict_server(args.config.as_deref()) - .context("Failed to apply Landlock restrictions to the server process")?; + if !command.disable_landlock { + landlock_restrict_server(args.config.as_deref()) + .context("Failed to apply Landlock restrictions to the server process")?; + } tokio_start_server( args.config.to_owned(), diff --git a/src/server/command.rs b/src/server/command.rs index b62267c..4b86855 100644 --- a/src/server/command.rs +++ b/src/server/command.rs @@ -10,10 +10,13 @@ use crate::{core::common::DEFAULT_CONFIG_PATH, server::supervisor::Supervisor}; #[derive(Parser, Debug, Clone)] pub struct ServerArgs { #[command(subcommand)] - subcmd: ServerCommand, + pub subcmd: ServerCommand, #[arg(long)] - systemd: bool, + pub systemd: bool, + + #[arg(long)] + pub disable_landlock: bool, } #[derive(Parser, Debug, Clone)]