defaultHardening: explain where @system-service is defined

2021-02-01 22:53:08 +01:00 · 2021-02-01 22:53:08 +01:00 · a587a2b02a
parent bb3a69797e
commit a587a2b02a
1 changed files with 1 additions and 0 deletions
--- a/pkgs/lib.nix
+++ b/pkgs/lib.nix
@ -28,6 +28,7 @@ let self = {
      CapabilityBoundingSet = "";
      # @system-service whitelist and docker seccomp blacklist (except for "clone"
      # which is a core requirement for systemd services)
+      # @system-service is defined in src/shared/seccomp-util.c (systemd source)
      SystemCallFilter = [ "@system-service" "~add_key clone3 get_mempolicy kcmp keyctl mbind move_pages name_to_handle_at personality process_vm_readv process_vm_writev request_key set_mempolicy setns unshare userfaultfd" ];
      SystemCallArchitectures= "native";
  };