greg
/
nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

lib: allow syscall `get_mempolicy` in default seccomp filter 

This syscall is required by an upcoming version of btcpayserver.
Because it is generally safe, we can allow it for all services.
This commit is contained in:
Erik Arvstedt 2021-12-30 16:28:48 +01:00 committed by Jonas Nick
parent a2c01e5a56
commit 53a9f136b9
No known key found for this signature in database
GPG Key ID: 4861DBF262123605
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkgs/lib.nix
View File

@ -33,7 +33,7 @@ let self = {
# @system-service whitelist and docker seccomp blacklist (except for "clone"
# which is a core requirement for systemd services)
# @system-service is defined in src/shared/seccomp-util.c (systemd source)
SystemCallFilter = [ "@system-service" "~add_key clone3 get_mempolicy kcmp keyctl mbind move_pages name_to_handle_at personality process_vm_readv process_vm_writev request_key set_mempolicy setns unshare userfaultfd" ];
SystemCallFilter = [ "@system-service" "~add_key clone3 kcmp keyctl mbind move_pages name_to_handle_at personality process_vm_readv process_vm_writev request_key set_mempolicy setns unshare userfaultfd" ];
SystemCallArchitectures = "native";
};