JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #197696 from MidAutumnMoon/go-119-services-fix-3

Browse Source 
nixos/{shiori,nats,geoipupdate,prometheus-smartct,}: set proper SystemCallFilter
This commit is contained in:
Jörg Thalheim 2022-10-25 13:21:08 +02:00 committed by GitHub
commit 493ae49688
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 4 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nixos/modules/services/misc/geoipupdate.nix
View File

@ -197,7 +197,7 @@ in
ProtectKernelTunables = true; ProtectKernelTunables = true;
ProtectProc = "invisible"; ProtectProc = "invisible";
ProcSubset = "pid"; ProcSubset = "pid";
SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; SystemCallFilter = [ "@system-service" "~@privileged" ];
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictRealtime = true; RestrictRealtime = true;
RestrictNamespaces = true; RestrictNamespaces = true;

5
nixos/modules/services/monitoring/prometheus/exporters/smartctl.nix
View File

@ -66,10 +66,7 @@ in {
ProtectProc = "invisible"; ProtectProc = "invisible";
ProcSubset = "pid"; ProcSubset = "pid";
SupplementaryGroups = [ "disk" ]; SupplementaryGroups = [ "disk" ];
SystemCallFilter = [ SystemCallFilter = [ "@system-service" "~@privileged" ];
"@system-service"
"~@privileged @resources"
];
}; };
}; };
} }

2
nixos/modules/services/networking/nats.nix
View File

@ -137,7 +137,7 @@ in {
RestrictNamespaces = true; RestrictNamespaces = true;
RestrictRealtime = true; RestrictRealtime = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; SystemCallFilter = [ "@system-service" "~@privileged" ];
UMask = "0077"; UMask = "0077";
} }
]; ];

2
nixos/modules/services/web-apps/shiori.nix
View File

@ -86,7 +86,7 @@ in {
SystemCallErrorNumber = "EPERM"; SystemCallErrorNumber = "EPERM";
SystemCallFilter = [ SystemCallFilter = [
"@system-service" "@system-service"
"~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@resources" "~@setuid" "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid"
]; ];
}; };
}; };