BoomMicrophone/nixpkgs-suyu
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #197696 from MidAutumnMoon/go-119-services-fix-3

Browse source 
nixos/{shiori,nats,geoipupdate,prometheus-smartct,}: set proper SystemCallFilter
This commit is contained in:
Jörg Thalheim 2022-10-25 13:21:08 +02:00 committed by GitHub
commit 493ae49688
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 4 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
nixos/modules/services/misc/geoipupdate.nix
View file

@ -197,7 +197,7 @@ in
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProcSubset = "pid";
SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
SystemCallFilter = [ "@system-service" "~@privileged" ];
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictRealtime = true;
RestrictNamespaces = true;

5
nixos/modules/services/monitoring/prometheus/exporters/smartctl.nix
View file

@ -66,10 +66,7 @@ in {
ProtectProc = "invisible";
ProcSubset = "pid";
SupplementaryGroups = [ "disk" ];
SystemCallFilter = [
"@system-service"
"~@privileged @resources"
];
SystemCallFilter = [ "@system-service" "~@privileged" ];
};
};
}

2
nixos/modules/services/networking/nats.nix
View file

@ -137,7 +137,7 @@ in {
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
SystemCallFilter = [ "@system-service" "~@privileged" ];
UMask = "0077";
}
];

2
nixos/modules/services/web-apps/shiori.nix
View file

@ -86,7 +86,7 @@ in {
SystemCallErrorNumber = "EPERM";
SystemCallFilter = [
"@system-service"
"~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@resources" "~@setuid"
"~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid"
];
};
};