From bfe73f95430a71daf1d2fdf1ae6832f2a4db0f35 Mon Sep 17 00:00:00 2001
From: Pierre Bourdon <delroth@gmail.com>
Date: Tue, 6 Sep 2022 02:10:47 +0200
Subject: nixos/grafana: loosen systemd syscall sandboxing

Allow @resources syscalls in the grafana.service unit. While Grafana
itself does not need them, some plugins (incl. first party) crash if
they fail to setrlimit. This was first seen with the official grafana
Clickhouse datasource plugin.

The @resources syscalls set is fairly harmess anyway.
---
 nixos/modules/services/monitoring/grafana.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'nixos/modules/services/monitoring/grafana.nix')

diff --git a/nixos/modules/services/monitoring/grafana.nix b/nixos/modules/services/monitoring/grafana.nix
index d72aaf0464e..dd99fa3ddcc 100644
--- a/nixos/modules/services/monitoring/grafana.nix
+++ b/nixos/modules/services/monitoring/grafana.nix
@@ -792,7 +792,7 @@ in {
         SystemCallArchitectures = "native";
         # Upstream grafana is not setting SystemCallFilter for compatibility
         # reasons, see https://github.com/grafana/grafana/pull/40176
-        SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
+        SystemCallFilter = [ "@system-service" "~@privileged" ];
         UMask = "0027";
       };
       preStart = ''
-- 
cgit 1.4.1