Skip to content

Commit

Permalink
nixos/acme: Relax syscall filter after go upgrade
Browse files Browse the repository at this point in the history 
With Go 1.19 calls to setrlimit are required for lego to run.

While we could allow setrlimit alone, I think it is not unreasonable to
allow @resources in general.

Closes: #197513
  • Loading branch information
@mweinelt
mweinelt committed Oct 24, 2022
1 parent c08f3c0 commit f2831a9
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions nixos/modules/security/acme/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,9 +62,9 @@ let
SystemCallArchitectures = "native";
SystemCallFilter = [
# 1. allow a reasonable set of syscalls
"@system-service"
"@system-service @resources"

This comment has been minimized.

Sign in to view

Copy link
@arianvp

arianvp Nov 1, 2022

Member

@system-service implies @resources. We dont need to add it here

This comment has been minimized.

Sign in to view

Copy link
@mweinelt

mweinelt via email Nov 1, 2022

Author Member
# 2. and deny unreasonable ones
"~@privileged @resources"
"~@privileged"
# 3. then allow the required subset within denied groups
"@chown"
];
Expand Down

0 comments on commit f2831a9

Please sign in to comment.