diff options
author | Patrick Steinhardt <ps@pks.im> | 2024-04-27 15:19:28 +0200 |
---|---|---|
committer | github-actions[bot] <github-actions[bot]@users.noreply.github.com> | 2024-04-27 19:13:14 +0000 |
commit | 37331493bbd51f1bc31c6ba5a623be8f7513245e (patch) | |
tree | b073ed9247a6cc91edeb7cb98e68730267030d7c /nixos/modules | |
parent | 49b4bed663f129b72479fe72fcbb6a13bd025b0a (diff) |
nixos/matrix-appservice-irc: fix chown of registration.yml in pre-script
Before the startup, the matrix-appservice-irc service sets up the registration file such that it can be used by matrix-synapse. Part of that setup requires us to change the group of said file so that the home server can read it. Consequently, we need CAP_CHOWN and require that the @chown system calls are allowed. While we supposedly set up both of these, the setup of system calls is broken as we have both an allow and a deny list of syscalls. But while the allow list contains "@chown", the deny list contains "@privileged" which contains "@chown" itself. So ultimately, we end up denying "@chown". Fix this issue by specifying "@chown" after the deny list. (cherry picked from commit ff3358b3f5802d1b1ec61e79657f9220b0d75da5)
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/services/matrix/appservice-irc.nix | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/nixos/modules/services/matrix/appservice-irc.nix b/nixos/modules/services/matrix/appservice-irc.nix index c79cd799b4d0e..ed15641e37107 100644 --- a/nixos/modules/services/matrix/appservice-irc.nix +++ b/nixos/modules/services/matrix/appservice-irc.nix @@ -214,8 +214,9 @@ in { RestrictRealtime = true; PrivateMounts = true; SystemCallFilter = [ - "@system-service @pkey @chown" + "@system-service @pkey" "~@privileged @resources" + "@chown" ]; SystemCallArchitectures = "native"; # AF_UNIX is required to connect to a postgres socket. |