Unverified Commit 8900f1f1 authored by Nick Cao's avatar Nick Cao Committed by GitHub
Browse files

nixos/conduwuit: block mistakenly allowed syscalls (#381630)

parents bf1541b9 de8b060c

nixos/modules/services/matrix/conduwuit.nix

+2 −16
Original line number Diff line number Diff line
@@ -246,22 +246,8 @@ in 
        RestrictRealtime = true;

        SystemCallArchitectures = "native";

        SystemCallFilter = [

          "@system-service"

          "@resources"

          "~@clock"

          "@debug"

          "@module"

          "@mount"

          "@reboot"

          "@swap"

          "@cpu-emulation"

          "@obsolete"

          "@timer"

          "@chown"

          "@setuid"

          "@privileged"

          "@keyring"

          "@ipc"

          "@system-service @resources"

          "~@clock @debug @module @mount @reboot @swap @cpu-emulation @obsolete @timer @chown @setuid @privileged @keyring @ipc"

        ];

        SystemCallErrorNumber = "EPERM";