fix(nixos): relax SystemCallFilter for the dynamic linker

We need to add a few file system related syscalls, so the dynamic linker won't get killed if we use a dynamically linked executable.
author: sternenseemann <0rpkxez4ksa01gb3typccl0i@systemli.org> 2021-06-16 22:13:31 +0200
committer: sterni <sternenseemann@systemli.org> 2021-06-16 22:28:25 +0200
commit: 412cae8bbb05c2a8497dc7147c4bd30cd2f7b05e (patch)
tree: 39c2f12e1747d9972c3051c9d8506bf379243952
parent: 1c6ce35ccab010c7983f7d7a72a849e4e0c377b6 (diff)
1 files changed, 16 insertions, 1 deletions
diff --git a/nixos/flipdot-gschichtler.nix b/nixos/flipdot-gschichtler.nix
index 06efd62..35af0b3 100644
--- a/nixos/flipdot-gschichtler.nix
+++ b/nixos/flipdot-gschichtler.nix
@@ -72,7 +72,22 @@ in {
         Group = userGroupName;
 
         # mmap and munmap are used by libscrypt-kdf
-        SystemCallFilter = "@default @basic-io @io-event @network-io fcntl @signal @process @timer brk mmap munmap open";
+        SystemCallFilter = lib.concatStringsSep " " [
+          "@default"
+          "@basic-io"
+          "@io-event"
+          "@network-io"
+          "fcntl"
+          "@signal"
+          "@process"
+          "@timer"
+          "brk"
+          "mmap" "munmap" "mprotect"
+          "open" "openat"
+          "close"
+          "fstat" "stat"
+          "access"
+          ];
         SystemCallArchitectures = "native";
 
         CapabilityBoundingSet = "";
author	sternenseemann <0rpkxez4ksa01gb3typccl0i@systemli.org>	2021-06-16 22:13:31 +0200
committer	sterni <sternenseemann@systemli.org>	2021-06-16 22:28:25 +0200
commit	412cae8bbb05c2a8497dc7147c4bd30cd2f7b05e (patch)
tree	39c2f12e1747d9972c3051c9d8506bf379243952
parent	1c6ce35ccab010c7983f7d7a72a849e4e0c377b6 (diff)