defaultHardening: allow syscall `set_mempolicy`

This syscall is safe to allow. It's required by the dotnet runtime (btcpayserver, nbxplorer) update introduced in the following commit.
2022-10-22 23:52:59 +02:00 · 2022-10-22 23:52:59 +02:00 · effc1ce0a7
parent 48170b241c
commit effc1ce0a7
1 changed files with 1 additions and 1 deletions
--- a/pkgs/lib.nix
+++ b/pkgs/lib.nix
@ -33,7 +33,7 @@ let self = {
      # @system-service whitelist and docker seccomp blacklist (except for "clone"
      # which is a core requirement for systemd services)
      # @system-service is defined in src/shared/seccomp-util.c (systemd source)
-      SystemCallFilter = [ "@system-service" "~add_key kcmp keyctl mbind move_pages name_to_handle_at personality process_vm_readv process_vm_writev request_key set_mempolicy setns unshare userfaultfd" ];
+      SystemCallFilter = [ "@system-service" "~add_key kcmp keyctl mbind move_pages name_to_handle_at personality process_vm_readv process_vm_writev request_key setns unshare userfaultfd" ];
      SystemCallArchitectures = "native";
  };