From 4a74b7de084f46655b1f11f738d9e1763ccefcc7 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Wed, 10 Nov 2021 21:25:12 +0100 Subject: [PATCH] clightning: work around unsupported seccomp syscall --- modules/clightning.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/modules/clightning.nix b/modules/clightning.nix index c380e2c..44809e4 100644 --- a/modules/clightning.nix +++ b/modules/clightning.nix @@ -137,6 +137,14 @@ in { Restart = "on-failure"; RestartSec = "10s"; ReadWritePaths = cfg.dataDir; + + # TODO-EXTERNAL: + # The seccomp version used by systemd in NixOS 21.05 doesn't support + # handling syscall 436 (close_range), which has only recently been added: + # https://github.com/seccomp/libseccomp/commit/ac849e7960547d418009a783da654d5917dbfe2d + # + # Disable seccomp filtering because clightning depends on this syscall. + SystemCallFilter = []; } // nbLib.allowedIPAddresses cfg.enforceTor; # Wait until the rpc socket appears postStart = ''