From a587a2b02a9d611b092d76cfa0f8e225eb48e365 Mon Sep 17 00:00:00 2001
From: Erik Arvstedt <erik.arvstedt@gmail.com>
Date: Mon, 1 Feb 2021 22:53:08 +0100
Subject: [PATCH] defaultHardening: explain where @system-service is defined

---
 pkgs/lib.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkgs/lib.nix b/pkgs/lib.nix
index ab8bfb0..46dba79 100644
--- a/pkgs/lib.nix
+++ b/pkgs/lib.nix
@@ -28,6 +28,7 @@ let self = {
       CapabilityBoundingSet = "";
       # @system-service whitelist and docker seccomp blacklist (except for "clone"
       # which is a core requirement for systemd services)
+      # @system-service is defined in src/shared/seccomp-util.c (systemd source)
       SystemCallFilter = [ "@system-service" "~add_key clone3 get_mempolicy kcmp keyctl mbind move_pages name_to_handle_at personality process_vm_readv process_vm_writev request_key set_mempolicy setns unshare userfaultfd" ];
       SystemCallArchitectures= "native";
   };