commit fb5e34fb3976a8a3dbef502e2863c23619a1f596 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

nixos/cryptpad: fix service with nodejs 22.11 (for real)

The previous fix had only been tested locally through a runtime edit of
the service, and the order in which @chown had been re-added was
different so commit cf498c1a61b3 ("nixos/cryptpad: fix service with
nodejs 22.11") did not actually fix the issue.

This properly orders @chown after @privileged so the rule is respected,
and also properly denies with EPERM instead of allowing the chown family
of syscalls: this will properly prevent seccomp from killing nodejs
while still disallowing fchown()

Fixes https://github.com/NixOS/nixpkgs/issues/370717

Dominique Martinet 11 months ago fb5e34fb 8407a64b

options

unified split

Changed files

+4 -2

nixos

modules

services

web-apps

cryptpad.nix

+4 -2

nixos/modules/services/web-apps/cryptpad.nix

···

       195
       195
        
                 SystemCallFilter = [

     

       196
       196
        
                   "@pkey"

     

       197
       197
        
                   "@system-service"

     

       198
       198
       -
                   "@chown"

     

       198
       198
       +
                   # /!\ order matters: @privileged contains @chown, so we need

     

       199
       199
       +
                   # @privileged negated before we re-list @chown for libuv copy

     

       200
       200
       +
                   "~@privileged"

     

       201
       201
       +
                   "~@chown:EPERM"

     

       199
       202
        
                   "~@keyring"

     

       200
       203
        
                   "~@memlock"

     

       201
       201
       -
                   "~@privileged"

     

       202
       204
        
                   "~@resources"

     

       203
       205
        
                   "~@setuid"

     

       204
       206
        
                   "~@timer"