From 41f861134a7f0d39dd7fcf8d60026e35734b8b29 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Tue, 25 Oct 2022 11:40:35 +0200 Subject: [PATCH] acme: add missing setrlimit call for lego $ sudo journalctl _AUDIT_TYPE_NAME=SECCOMP -f Oct 25 09:25:07 ***** audit[619521]: SECCOMP auid=4294967295 uid=996 gid=60 ses=4294967295 subj=kernel pid=619521 comm="lego" exe="/nix/store/pbpkp3yqj5raw05624xscsl5ix1xl73p-lego-4.9.0/bin/lego" sig=31 arch=c000003e syscall=160 compat=0 ip=0x4043ee code=0x80000000 Otherwise it crashes at startup. --- nixos/modules/security/acme/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nixos/modules/security/acme/default.nix b/nixos/modules/security/acme/default.nix index 1c4a88954b655..5066bcc678c80 100644 --- a/nixos/modules/security/acme/default.nix +++ b/nixos/modules/security/acme/default.nix @@ -67,6 +67,8 @@ let "~@privileged" # 3. then allow the required subset within denied groups "@chown" + # 4. Lego uses setrlimit + "setrlimit" ]; };