# SPDX-License-Identifier: CC0-1.0
# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
[Manager]
# Ensure that programs can be found iff
# they were deliberately installed by being listed
# in "packages" or "usrPackages" in host/rootfs/default.nix.
DefaultEnvironment=PATH=/usr/bin
# Spectrum OS's host does not use files that are
# setuid, setgid, or have file capabilities.
# This is equivalent to having all filesystems
# mounted with nosetuid.  This may need to change
# once SELinux starts to be used, as there may be
# programs that need to perform operations that
# SELinux should not allow their callers to perform.
# However, such programs should really be launched
# by the all-powerful init process instead.
NoNewPrivileges=yes
# Spectrum OS's host has no need for any program
# to be able to make system calls with non-native
# architectures.
SystemCallArchitectures=native
# Spectrum OS's host does not need the ability
# to compromise the kernel.  Kernel lockdown
# blocks this anyway.
CapabilityBoundingSet=~CAP_SYS_RAWIO