nixos/acme: Relax syscall filter after go upgrade

With Go 1.19 calls to setrlimit are required for lego to run. While we could allow setrlimit alone, I think it is not unreasonable to allow @resources in general. Closes: NixOS#197513
mweinelt · Oct 24, 2022 · f2831a9 · f2831a9
1 parent c08f3c0
commit f2831a9
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/nixos/modules/security/acme/default.nix b/nixos/modules/security/acme/default.nix
@@ -62,9 +62,9 @@ let
     SystemCallArchitectures = "native";
     SystemCallFilter = [
       # 1. allow a reasonable set of syscalls
-      "@system-service"
+      "@system-service @resources"
       # 2. and deny unreasonable ones
-      "~@privileged @resources"
+      "~@privileged"
       # 3. then allow the required subset within denied groups
       "@chown"
     ];