pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #122825 from Izorkin/update-duplicates-systemcallfilters

treewide: remove duplicates SystemCallFilters

Jörg Thalheim b900661f 70b37f9b

options
unified split
Changed files
+6 -13
nixos
modules
services
databases
redis.nix
misc
jellyfin.nix
network-filesystems
samba-wsdd.nix
networking
croc.nix
web-apps
shiori.nix
web-servers
nginx
default.nix
+1 -1
nixos/modules/services/databases/redis.nix 
···

       
331

       
331

       
 

       
        PrivateMounts = true;


     

       
332

       
332

       
 

       
        # System Call Filtering


     

       
333

       
333

       
 

       
        SystemCallArchitectures = "native";


     

       
334

       

       
-

       
        SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @raw-io @reboot @resources @setuid @swap";


     

       

       
334

       
+

       
        SystemCallFilter = "~@cpu-emulation @debug @keyring @memlock @mount @obsolete @privileged @resources @setuid";


     

       
335

       
335

       
 

       
      };


     

       
336

       
336

       
 

       
    };


     

       
337

       
337

       
 

       
  };
+1 -3
nixos/modules/services/misc/jellyfin.nix 
···

       
92

       
92

       
 

       
        SystemCallErrorNumber = "EPERM";


     

       
93

       
93

       
 

       
        SystemCallFilter = [


     

       
94

       
94

       
 

       
          "@system-service"


     

       
95

       

       
-

       



     

       
96

       

       
-

       
          "~@chown" "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@module"


     

       
97

       

       
-

       
          "~@obsolete" "~@privileged" "~@setuid"


     

       

       
95

       
+

       
          "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid"


     

       
98

       
96

       
 

       
        ];


     

       
99

       
97

       
 

       
      };


     

       
100

       
98

       
 

       
    };
+1 -1
nixos/modules/services/network-filesystems/samba-wsdd.nix 
···

       
117

       
117

       
 

       
        PrivateMounts = true;


     

       
118

       
118

       
 

       
        # System Call Filtering


     

       
119

       
119

       
 

       
        SystemCallArchitectures = "native";


     

       
120

       

       
-

       
        SystemCallFilter = "~@clock @cpu-emulation @debug @module @mount @obsolete @privileged @raw-io @reboot @resources @swap";


     

       

       
120

       
+

       
        SystemCallFilter = "~@cpu-emulation @debug @mount @obsolete @privileged @resources";


     

       
121

       
121

       
 

       
      };


     

       
122

       
122

       
 

       
    };


     

       
123

       
123

       
 

       
  };
+1 -3
nixos/modules/services/networking/croc.nix 
···

       
72

       
72

       
 

       
        RuntimeDirectoryMode = "700";


     

       
73

       
73

       
 

       
        SystemCallFilter = [


     

       
74

       
74

       
 

       
          "@system-service"


     

       
75

       

       
-

       
          "~@aio" "~@chown" "~@keyring" "~@memlock"


     

       
76

       

       
-

       
          "~@privileged" "~@resources" "~@setuid"


     

       
77

       

       
-

       
          "~@sync" "~@timer"


     

       

       
75

       
+

       
          "~@aio" "~@keyring" "~@memlock" "~@privileged" "~@resources" "~@setuid" "~@sync" "~@timer"


     

       
78

       
76

       
 

       
        ];


     

       
79

       
77

       
 

       
        SystemCallArchitectures = "native";


     

       
80

       
78

       
 

       
        SystemCallErrorNumber = "EPERM";
+1 -4
nixos/modules/services/web-apps/shiori.nix 
···

       
86

       
86

       
 

       
        SystemCallErrorNumber = "EPERM";


     

       
87

       
87

       
 

       
        SystemCallFilter = [


     

       
88

       
88

       
 

       
          "@system-service"


     

       
89

       

       
-

       



     

       
90

       

       
-

       
          "~@chown" "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock"


     

       
91

       

       
-

       
          "~@module" "~@obsolete" "~@privileged" "~@raw-io"


     

       
92

       

       
-

       
          "~@resources" "~@setuid"


     

       

       
89

       
+

       
          "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@resources" "~@setuid"


     

       
93

       
90

       
 

       
        ];


     

       
94

       
91

       
 

       
      };


     

       
95

       
92

       
 

       
    };
+1 -1
nixos/modules/services/web-servers/nginx/default.nix 
···

       
859

       
859

       
 

       
        PrivateMounts = true;


     

       
860

       
860

       
 

       
        # System Call Filtering


     

       
861

       
861

       
 

       
        SystemCallArchitectures = "native";


     

       
862

       

       
-

       
        SystemCallFilter = "~@chown @cpu-emulation @debug @keyring @ipc @module @mount @obsolete @privileged @raw-io @reboot @setuid @swap";


     

       

       
862

       
+

       
        SystemCallFilter = "~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid";


     

       
863

       
863

       
 

       
      };


     

       
864

       
864

       
 

       
    };


     

       
865

       
865