Merge pull request #246123 from mweinelt/matrix-appservice-syscall-filter-update

nixos/matrix-appservice-irc: update syscall filter
This commit is contained in:
Martin Weinelt 2023-07-30 13:19:13 +02:00 committed by GitHub
commit 0a5e37e177
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -215,7 +215,10 @@ in {
LockPersonality = true; LockPersonality = true;
RestrictRealtime = true; RestrictRealtime = true;
PrivateMounts = true; PrivateMounts = true;
SystemCallFilter = "~@aio @clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @setuid @swap"; SystemCallFilter = [
"@system-service @pkey"
"~@privileged @resources"
];
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
# AF_UNIX is required to connect to a postgres socket. # AF_UNIX is required to connect to a postgres socket.
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";