diff options
author | Jörg Thalheim <Mic92@users.noreply.github.com> | 2021-05-17 12:06:06 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-05-17 12:06:06 +0100 |
commit | b900661f6e26d9822a0bbc0e6b7b86c64cf816b3 (patch) | |
tree | 6a884a917c7778cf85adb82dbceec13279649456 /nixos/modules | |
parent | 70b37f9bf2cb942231e622843992705a1f73eafb (diff) | |
parent | feebe402f55fcb38b873370bee8fa09979018e85 (diff) | |
download | nixpkgs-b900661f6e26d9822a0bbc0e6b7b86c64cf816b3.tar nixpkgs-b900661f6e26d9822a0bbc0e6b7b86c64cf816b3.tar.gz nixpkgs-b900661f6e26d9822a0bbc0e6b7b86c64cf816b3.tar.bz2 nixpkgs-b900661f6e26d9822a0bbc0e6b7b86c64cf816b3.tar.lz nixpkgs-b900661f6e26d9822a0bbc0e6b7b86c64cf816b3.tar.xz nixpkgs-b900661f6e26d9822a0bbc0e6b7b86c64cf816b3.tar.zst nixpkgs-b900661f6e26d9822a0bbc0e6b7b86c64cf816b3.zip |
Merge pull request #122825 from Izorkin/update-duplicates-systemcallfilters
treewide: remove duplicates SystemCallFilters
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/services/databases/redis.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/misc/jellyfin.nix | 4 | ||||
-rw-r--r-- | nixos/modules/services/network-filesystems/samba-wsdd.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/networking/croc.nix | 4 | ||||
-rw-r--r-- | nixos/modules/services/web-apps/shiori.nix | 5 | ||||
-rw-r--r-- | nixos/modules/services/web-servers/nginx/default.nix | 2 |
6 files changed, 6 insertions, 13 deletions
diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix index 7ec10c0eb5a..c4d51958e23 100644 --- a/nixos/modules/services/databases/redis.nix +++ b/nixos/modules/services/databases/redis.nix @@ -331,7 +331,7 @@ in { PrivateMounts = true; # System Call Filtering SystemCallArchitectures = "native"; - SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @raw-io @reboot @resources @setuid @swap"; + SystemCallFilter = "~@cpu-emulation @debug @keyring @memlock @mount @obsolete @privileged @resources @setuid"; }; }; }; diff --git a/nixos/modules/services/misc/jellyfin.nix b/nixos/modules/services/misc/jellyfin.nix index c1b45864041..6d64acc0291 100644 --- a/nixos/modules/services/misc/jellyfin.nix +++ b/nixos/modules/services/misc/jellyfin.nix @@ -92,9 +92,7 @@ in SystemCallErrorNumber = "EPERM"; SystemCallFilter = [ "@system-service" - - "~@chown" "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@module" - "~@obsolete" "~@privileged" "~@setuid" + "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid" ]; }; }; diff --git a/nixos/modules/services/network-filesystems/samba-wsdd.nix b/nixos/modules/services/network-filesystems/samba-wsdd.nix index c68039c79e2..800ef448d37 100644 --- a/nixos/modules/services/network-filesystems/samba-wsdd.nix +++ b/nixos/modules/services/network-filesystems/samba-wsdd.nix @@ -117,7 +117,7 @@ in { PrivateMounts = true; # System Call Filtering SystemCallArchitectures = "native"; - SystemCallFilter = "~@clock @cpu-emulation @debug @module @mount @obsolete @privileged @raw-io @reboot @resources @swap"; + SystemCallFilter = "~@cpu-emulation @debug @mount @obsolete @privileged @resources"; }; }; }; diff --git a/nixos/modules/services/networking/croc.nix b/nixos/modules/services/networking/croc.nix index b218fab2196..9466adf71d8 100644 --- a/nixos/modules/services/networking/croc.nix +++ b/nixos/modules/services/networking/croc.nix @@ -72,9 +72,7 @@ in RuntimeDirectoryMode = "700"; SystemCallFilter = [ "@system-service" - "~@aio" "~@chown" "~@keyring" "~@memlock" - "~@privileged" "~@resources" "~@setuid" - "~@sync" "~@timer" + "~@aio" "~@keyring" "~@memlock" "~@privileged" "~@resources" "~@setuid" "~@sync" "~@timer" ]; SystemCallArchitectures = "native"; SystemCallErrorNumber = "EPERM"; diff --git a/nixos/modules/services/web-apps/shiori.nix b/nixos/modules/services/web-apps/shiori.nix index 8f96dd9b5dd..a15bb9744a9 100644 --- a/nixos/modules/services/web-apps/shiori.nix +++ b/nixos/modules/services/web-apps/shiori.nix @@ -86,10 +86,7 @@ in { SystemCallErrorNumber = "EPERM"; SystemCallFilter = [ "@system-service" - - "~@chown" "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" - "~@module" "~@obsolete" "~@privileged" "~@raw-io" - "~@resources" "~@setuid" + "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@resources" "~@setuid" ]; }; }; diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index 705f041eeab..0e99aabcfc0 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -859,7 +859,7 @@ in PrivateMounts = true; # System Call Filtering SystemCallArchitectures = "native"; - SystemCallFilter = "~@chown @cpu-emulation @debug @keyring @ipc @module @mount @obsolete @privileged @raw-io @reboot @setuid @swap"; + SystemCallFilter = "~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid"; }; }; |