diff options
author | Patrick Steinhardt <ps@pks.im> | 2024-04-27 15:19:28 +0200 |
---|---|---|
committer | Patrick Steinhardt <ps@pks.im> | 2024-04-27 19:04:08 +0200 |
commit | ff3358b3f5802d1b1ec61e79657f9220b0d75da5 (patch) | |
tree | cd6daf1131b24542bb5a43f0c4297f43dcebc2b1 /nixos/modules/services/matrix | |
parent | 60cb88cc491e819c16fc579fd697d33defd2a8e3 (diff) |
nixos/matrix-appservice-irc: fix chown of registration.yml in pre-script
Before the startup, the matrix-appservice-irc service sets up the registration file such that it can be used by matrix-synapse. Part of that setup requires us to change the group of said file so that the home server can read it. Consequently, we need CAP_CHOWN and require that the @chown system calls are allowed. While we supposedly set up both of these, the setup of system calls is broken as we have both an allow and a deny list of syscalls. But while the allow list contains "@chown", the deny list contains "@privileged" which contains "@chown" itself. So ultimately, we end up denying "@chown". Fix this issue by specifying "@chown" after the deny list.
Diffstat (limited to 'nixos/modules/services/matrix')
-rw-r--r-- | nixos/modules/services/matrix/appservice-irc.nix | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/nixos/modules/services/matrix/appservice-irc.nix b/nixos/modules/services/matrix/appservice-irc.nix index 90790169142aa..f4539a90f2e60 100644 --- a/nixos/modules/services/matrix/appservice-irc.nix +++ b/nixos/modules/services/matrix/appservice-irc.nix @@ -214,8 +214,9 @@ in { RestrictRealtime = true; PrivateMounts = true; SystemCallFilter = [ - "@system-service @pkey @chown" + "@system-service @pkey" "~@privileged @resources" + "@chown" ]; SystemCallArchitectures = "native"; # AF_UNIX is required to connect to a postgres socket. |