nixos/acme: Relax syscall filter after go upgrade

With Go 1.19 calls to setrlimit are required for lego to run. While we could allow setrlimit alone, I think it is not unreasonable to allow @resources in general. Closes: #197513
author: Martin Weinelt <hexa@darmstadt.ccc.de> 2022-10-24 14:57:25 +0200
committer: zowoq <59103226+zowoq@users.noreply.github.com> 2022-10-25 07:22:27 +1000
commit: fcf2d05d817fad1dc212b4c5bfd4e70c37f59f69 (patch)
tree: f31ba4994d2f8f706df51835a1947cb181d8ad65 /nixos/modules/security
parent: 8753025d8ec1e3158587f99318766eac31ec1e3a (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/nixos/modules/security/acme/default.nix b/nixos/modules/security/acme/default.nix
index e9299fb1b3adb..1c4a88954b655 100644
--- a/nixos/modules/security/acme/default.nix
+++ b/nixos/modules/security/acme/default.nix
@@ -62,9 +62,9 @@ let
     SystemCallArchitectures = "native";
     SystemCallFilter = [
       # 1. allow a reasonable set of syscalls
-      "@system-service"
+      "@system-service @resources"
       # 2. and deny unreasonable ones
-      "~@privileged @resources"
+      "~@privileged"
       # 3. then allow the required subset within denied groups
       "@chown"
     ];
author	Martin Weinelt <hexa@darmstadt.ccc.de>	2022-10-24 14:57:25 +0200
committer	zowoq <59103226+zowoq@users.noreply.github.com>	2022-10-25 07:22:27 +1000
commit	fcf2d05d817fad1dc212b4c5bfd4e70c37f59f69 (patch)
tree	f31ba4994d2f8f706df51835a1947cb181d8ad65 /nixos/modules/security
parent	8753025d8ec1e3158587f99318766eac31ec1e3a (diff)