Commit ff3358b3 authored by Patrick Steinhardt's avatar Patrick Steinhardt
Browse files

nixos/matrix-appservice-irc: fix chown of registration.yml in pre-script 

Before the startup, the matrix-appservice-irc service sets up the
registration file such that it can be used by matrix-synapse. Part of
that setup requires us to change the group of said file so that the home
server can read it. Consequently, we need CAP_CHOWN and require that the
@chown system calls are allowed.

While we supposedly set up both of these, the setup of system calls is
broken as we have both an allow and a deny list of syscalls. But while
the allow list contains "@chown", the deny list contains "@privileged"
which contains "@chown" itself. So ultimately, we end up denying
"@chown".

Fix this issue by specifying "@chown" after the deny list.
parent 60cb88cc

nixos/modules/services/matrix/appservice-irc.nix

+2 −1
Original line number Diff line number Diff line
@@ -214,8 +214,9 @@ in { 
        RestrictRealtime = true;

        PrivateMounts = true;

        SystemCallFilter = [

          "@system-service @pkey @chown"

          "@system-service @pkey"

          "~@privileged @resources"

          "@chown"

        ];

        SystemCallArchitectures = "native";

        # AF_UNIX is required to connect to a postgres socket.