nixos/matrix-appservice-irc: update syscall filter

Simplify the SystemcallFilter by employing an explicit allow list, and
an explicit block list.

Node since version 18 requires syscalls in the @pkey group.

Excluding @privileged and @resources is a recommendation in
systemd-analyze.

1 files changed, 4 insertions, 1 deletions

diff --git a/nixos/modules/services/matrix/appservice-irc.nix b/nixos/modules/services/matrix/appservice-irc.nix
index 5526df785c356..8883d604b2eae 100644
--- a/nixos/modules/services/matrix/appservice-irc.nix
+++ b/nixos/modules/services/matrix/appservice-irc.nix
@@ -215,7 +215,10 @@ in {
         LockPersonality = true;
         RestrictRealtime = true;
         PrivateMounts = true;
-        SystemCallFilter = "~@aio @clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @setuid @swap";
+        SystemCallFilter = [
+          "@system-service @pkey"
+          "~@privileged @resources"
+        ];
         SystemCallArchitectures = "native";
         # AF_UNIX is required to connect to a postgres socket.
         RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";