commit ff3358b3f5802d1b1ec61e79657f9220b0d75da5 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

nixos/matrix-appservice-irc: fix chown of registration.yml in pre-script

Before the startup, the matrix-appservice-irc service sets up the
registration file such that it can be used by matrix-synapse. Part of
that setup requires us to change the group of said file so that the home
server can read it. Consequently, we need CAP_CHOWN and require that the
@chown system calls are allowed.

While we supposedly set up both of these, the setup of system calls is
broken as we have both an allow and a deny list of syscalls. But while
the allow list contains "@chown", the deny list contains "@privileged"
which contains "@chown" itself. So ultimately, we end up denying
"@chown".

Fix this issue by specifying "@chown" after the deny list.

Patrick Steinhardt 2 years ago ff3358b3 60cb88cc

options

unified split

Changed files

+2 -1

nixos

modules

services

matrix

appservice-irc.nix

+2 -1

nixos/modules/services/matrix/appservice-irc.nix

···

       214
       214
        
               RestrictRealtime = true;

     

       215
       215
        
               PrivateMounts = true;

     

       216
       216
        
               SystemCallFilter = [

     

       217
       217
       -
                 "@system-service @pkey @chown"

     

       217
       217
       +
                 "@system-service @pkey"

     

       218
       218
        
                 "~@privileged @resources"

     

       219
       219
       +
                 "@chown"

     

       219
       220
        
               ];

     

       220
       221
        
               SystemCallArchitectures = "native";

     

       221
       222
        
               # AF_UNIX is required to connect to a postgres socket.