nixos/unbound: fix wrong syscall filter

This changes the syscall filter to match that of upstream. Note that SystemCallFilter=~foo bar is completely different from SystemCallFilter=~foo SystemCallFilter=bar The former one means that foo and bar are forbidden, and the latter one means foo is forbidden and bar is granted!
2024-11-27 17:33:09 +00:00 · 2023-11-05 20:31:52 +00:00 · 2023-11-05 20:31:52 +00:00 · c70614c0a4
commit c70614c0a4
parent 6e9240e25b
1 changed files with 1 additions and 8 deletions
--- a/nixos/modules/services/networking/unbound.nix
+++ b/nixos/modules/services/networking/unbound.nix
@ -273,14 +273,7 @@ in {
        RestrictRealtime = true;
        SystemCallArchitectures = "native";
        SystemCallFilter = [
-          "~@clock"
-          "@cpu-emulation"
-          "@debug"
-          "@keyring"
-          "@module"
-          "mount"
-          "@obsolete"
-          "@resources"
+          "~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources"
        ];
        RestrictNamespaces = true;
        LockPersonality = true;