diff options
| author | Izorkin <izorkin@elven.pw> | 2021-05-12 11:34:26 +0300 |
|---|---|---|
| committer | Kerstin <kerstin@erictapen.name> | 2021-11-06 16:45:20 +0100 |
| commit | 91e510ae220e3287ccfc868ef63b8e952f76d3ae (patch) | |
| tree | 8ce778e5e6ba7fd1f53e633edaeba73c3a5d9347 /nixos/modules/services/web-apps/mastodon.nix | |
| parent | 700ea62f549e00fbe531c387e68b99b08378f172 (diff) | |
| download | nixpkgs-91e510ae220e3287ccfc868ef63b8e952f76d3ae.tar nixpkgs-91e510ae220e3287ccfc868ef63b8e952f76d3ae.tar.gz nixpkgs-91e510ae220e3287ccfc868ef63b8e952f76d3ae.tar.bz2 nixpkgs-91e510ae220e3287ccfc868ef63b8e952f76d3ae.tar.lz nixpkgs-91e510ae220e3287ccfc868ef63b8e952f76d3ae.tar.xz nixpkgs-91e510ae220e3287ccfc868ef63b8e952f76d3ae.tar.zst nixpkgs-91e510ae220e3287ccfc868ef63b8e952f76d3ae.zip | |
nixos/mastodon: add '@ipc' SystemCallFilter
Diffstat (limited to 'nixos/modules/services/web-apps/mastodon.nix')
| -rw-r--r-- | nixos/modules/services/web-apps/mastodon.nix | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/nixos/modules/services/web-apps/mastodon.nix b/nixos/modules/services/web-apps/mastodon.nix index 527fc5bb8e2..0c6ef1348af 100644 --- a/nixos/modules/services/web-apps/mastodon.nix +++ b/nixos/modules/services/web-apps/mastodon.nix @@ -38,7 +38,7 @@ let // (if cfg.smtp.authenticate then { SMTP_LOGIN = cfg.smtp.user; } else {}) // cfg.extraConfig; - systemCallsList = [ "@cpu-emulation" "@debug" "@keyring" "@mount" "@obsolete" "@privileged" "@setuid" ]; + systemCallsList = [ "@cpu-emulation" "@debug" "@keyring" "@ipc" "@mount" "@obsolete" "@privileged" "@setuid" ]; cfgService = { # User and group @@ -468,7 +468,7 @@ in { Type = "oneshot"; WorkingDirectory = cfg.package; # System Call Filtering - SystemCallFilter = [ ("~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ])) "@chown" ]; + SystemCallFilter = [ ("~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ])) "@chown" "pipe" "pipe2" ]; } // cfgService; after = [ "network.target" ]; @@ -495,7 +495,7 @@ in { EnvironmentFile = "/var/lib/mastodon/.secrets_env"; WorkingDirectory = cfg.package; # System Call Filtering - SystemCallFilter = [ ("~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ])) "@chown" ]; + SystemCallFilter = [ ("~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ])) "@chown" "pipe" "pipe2" ]; } // cfgService; after = [ "mastodon-init-dirs.service" "network.target" ] ++ (if databaseActuallyCreateLocally then [ "postgresql.service" ] else []); wantedBy = [ "multi-user.target" ]; @@ -521,7 +521,7 @@ in { RuntimeDirectory = "mastodon-streaming"; RuntimeDirectoryMode = "0750"; # System Call Filtering - SystemCallFilter = "~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ]); + SystemCallFilter = [ ("~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ])) "pipe" "pipe2" ]; } // cfgService; }; @@ -545,7 +545,7 @@ in { RuntimeDirectory = "mastodon-web"; RuntimeDirectoryMode = "0750"; # System Call Filtering - SystemCallFilter = [ ("~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ])) "@chown" ]; + SystemCallFilter = [ ("~" + lib.concatStringsSep " " (systemCallsList ++ [ "@resources" ])) "@chown" "pipe" "pipe2" ]; } // cfgService; path = with pkgs; [ file imagemagick ffmpeg ]; }; @@ -567,7 +567,7 @@ in { EnvironmentFile = "/var/lib/mastodon/.secrets_env"; WorkingDirectory = cfg.package; # System Call Filtering - SystemCallFilter = [ ("~" + lib.concatStringsSep " " systemCallsList) "@chown" ]; + SystemCallFilter = [ ("~" + lib.concatStringsSep " " systemCallsList) "@chown" "pipe" "pipe2" ]; } // cfgService; path = with pkgs; [ file imagemagick ffmpeg ]; }; |