mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-10-30 06:01:19 +00:00
nixos/acme: Relax syscall filter after go upgrade
With Go 1.19 calls to setrlimit are required for lego to run. While we could allow setrlimit alone, I think it is not unreasonable to allow @resources in general. Closes: #197513
This commit is contained in:
parent
8753025d8e
commit
fcf2d05d81
@ -62,9 +62,9 @@ let
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = [
|
||||
# 1. allow a reasonable set of syscalls
|
||||
"@system-service"
|
||||
"@system-service @resources"
|
||||
# 2. and deny unreasonable ones
|
||||
"~@privileged @resources"
|
||||
"~@privileged"
|
||||
# 3. then allow the required subset within denied groups
|
||||
"@chown"
|
||||
];
|
||||
|
Loading…
Reference in New Issue
Block a user