diff options
author | Martin Weinelt <hexa@darmstadt.ccc.de> | 2023-07-30 03:07:52 +0200 |
---|---|---|
committer | Martin Weinelt <hexa@darmstadt.ccc.de> | 2023-07-30 03:07:52 +0200 |
commit | 6ae8e13396ead898761732ccff3ec5351d9fed2a (patch) | |
tree | bc39fda1f2746a28036f594e91c39c007e4bdf96 /nixos/modules/services/matrix | |
parent | ddfe5282c8ff3b2060397dc2ff3497bb448bed08 (diff) |
nixos/matrix-appservice-irc: update syscall filter
Simplify the SystemcallFilter by employing an explicit allow list, and an explicit block list. Node since version 18 requires syscalls in the @pkey group. Excluding @privileged and @resources is a recommendation in systemd-analyze.
Diffstat (limited to 'nixos/modules/services/matrix')
-rw-r--r-- | nixos/modules/services/matrix/appservice-irc.nix | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/nixos/modules/services/matrix/appservice-irc.nix b/nixos/modules/services/matrix/appservice-irc.nix index 5526df785c356..8883d604b2eae 100644 --- a/nixos/modules/services/matrix/appservice-irc.nix +++ b/nixos/modules/services/matrix/appservice-irc.nix @@ -215,7 +215,10 @@ in { LockPersonality = true; RestrictRealtime = true; PrivateMounts = true; - SystemCallFilter = "~@aio @clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @setuid @swap"; + SystemCallFilter = [ + "@system-service @pkey" + "~@privileged @resources" + ]; SystemCallArchitectures = "native"; # AF_UNIX is required to connect to a postgres socket. RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; |