pyrox.dev / nixpkgs
lol
fork atom

nixos/grafana: allow @chown syscalls when using unix sockets

Grafana will unconditionally call chown on the socket after creating it,
even if the configuration does not ask for a different socket gid.

D Anzorge 9be81d0a c2720ceb

options
unified split
Changed files
+4 -1
nixos
modules
services
monitoring
grafana.nix
+4 -1
nixos/modules/services/monitoring/grafana.nix 
···

       
1291

       
 

       
        SystemCallArchitectures = "native";


     

       
1292

       
 

       
        # Upstream grafana is not setting SystemCallFilter for compatibility


     

       
1293

       
 

       
        # reasons, see https://github.com/grafana/grafana/pull/40176


     

       
1294

       
-

       
        SystemCallFilter = [ "@system-service" "~@privileged" ];


     

       

       

       
     

       

       

       
     

       

       

       
     

       
1295

       
 

       
        UMask = "0027";


     

       
1296

       
 

       
      };


     

       
1297

       
 

       
      preStart = ''


     
···

       
1291

       
 

       
        SystemCallArchitectures = "native";


     

       
1292

       
 

       
        # Upstream grafana is not setting SystemCallFilter for compatibility


     

       
1293

       
 

       
        # reasons, see https://github.com/grafana/grafana/pull/40176


     

       
1294

       
+

       
        SystemCallFilter = [


     

       
1295

       
+

       
          "@system-service"


     

       
1296

       
+

       
          "~@privileged"


     

       
1297

       
+

       
        ] ++ lib.optional (cfg.settings.server.protocol == "socket") [ "@chown" ];


     

       
1298

       
 

       
        UMask = "0027";


     

       
1299

       
 

       
      };


     

       
1300

       
 

       
      preStart = ''