diff options
| author | sternenseemann <0rpkxez4ksa01gb3typccl0i@systemli.org> | 2020-09-18 12:40:27 +0200 |
|---|---|---|
| committer | sternenseemann <0rpkxez4ksa01gb3typccl0i@systemli.org> | 2020-09-18 16:43:41 +0200 |
| commit | 19017d4697aa4a5b3480f86a2aab3f43ccbceba3 (patch) | |
| tree | 7dbca97cd8b8274d32b3ef8e234efc2d71931ff0 | |
| parent | a613abae33169f67b6e853e39d338b4edee8fe72 (diff) | |
feat(nixos): restrict systemcalls further
| -rw-r--r-- | nixos/flipdot-gschichtler.nix | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/nixos/flipdot-gschichtler.nix b/nixos/flipdot-gschichtler.nix index 2ed61f3..66c2ba5 100644 --- a/nixos/flipdot-gschichtler.nix +++ b/nixos/flipdot-gschichtler.nix @@ -32,8 +32,8 @@ in { Type = "simple"; ExecStart = "${fg.warteraum-static}/bin/warteraum"; InAccessibleDirectories = "/"; - # SystemCallFilter = "@default @basic-io @io-event @network-io fcntl @signal"; - SystemCallFilter = "@system-service ~@mount"; + # mmap and munmap are used by libscrypt-kdf + SystemCallFilter = "@default @basic-io @io-event @network-io fcntl @signal @process @timer brk mmap munmap"; SystemCallArchitectures = "native"; CapabilityBoundingSet = ""; |