From 53a9f136b91e3e145cc8bd8364306b5159c23425 Mon Sep 17 00:00:00 2001
From: Erik Arvstedt <erik.arvstedt@gmail.com>
Date: Thu, 30 Dec 2021 16:28:48 +0100
Subject: [PATCH] lib: allow syscall `get_mempolicy` in default seccomp filter

This syscall is required by an upcoming version of btcpayserver.
Because it is generally safe, we can allow it for all services.
---
 pkgs/lib.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/lib.nix b/pkgs/lib.nix
index 9181796..5ac6e6e 100644
--- a/pkgs/lib.nix
+++ b/pkgs/lib.nix
@@ -33,7 +33,7 @@ let self = {
       # @system-service whitelist and docker seccomp blacklist (except for "clone"
       # which is a core requirement for systemd services)
       # @system-service is defined in src/shared/seccomp-util.c (systemd source)
-      SystemCallFilter = [ "@system-service" "~add_key clone3 get_mempolicy kcmp keyctl mbind move_pages name_to_handle_at personality process_vm_readv process_vm_writev request_key set_mempolicy setns unshare userfaultfd" ];
+      SystemCallFilter = [ "@system-service" "~add_key clone3  kcmp keyctl mbind move_pages name_to_handle_at personality process_vm_readv process_vm_writev request_key set_mempolicy setns unshare userfaultfd" ];
       SystemCallArchitectures = "native";
   };