From feebe402f55fcb38b873370bee8fa09979018e85 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Thu, 13 May 2021 15:29:25 +0300 Subject: treewide: remove duplicates SystemCallFilters --- nixos/modules/services/databases/redis.nix | 2 +- nixos/modules/services/misc/jellyfin.nix | 4 +--- nixos/modules/services/network-filesystems/samba-wsdd.nix | 2 +- nixos/modules/services/networking/croc.nix | 4 +--- nixos/modules/services/web-apps/shiori.nix | 5 +---- nixos/modules/services/web-servers/nginx/default.nix | 2 +- 6 files changed, 6 insertions(+), 13 deletions(-) (limited to 'nixos/modules') diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix index 7ec10c0eb5a..c4d51958e23 100644 --- a/nixos/modules/services/databases/redis.nix +++ b/nixos/modules/services/databases/redis.nix @@ -331,7 +331,7 @@ in { PrivateMounts = true; # System Call Filtering SystemCallArchitectures = "native"; - SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @raw-io @reboot @resources @setuid @swap"; + SystemCallFilter = "~@cpu-emulation @debug @keyring @memlock @mount @obsolete @privileged @resources @setuid"; }; }; }; diff --git a/nixos/modules/services/misc/jellyfin.nix b/nixos/modules/services/misc/jellyfin.nix index c1b45864041..6d64acc0291 100644 --- a/nixos/modules/services/misc/jellyfin.nix +++ b/nixos/modules/services/misc/jellyfin.nix @@ -92,9 +92,7 @@ in SystemCallErrorNumber = "EPERM"; SystemCallFilter = [ "@system-service" - - "~@chown" "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@module" - "~@obsolete" "~@privileged" "~@setuid" + "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid" ]; }; }; diff --git a/nixos/modules/services/network-filesystems/samba-wsdd.nix b/nixos/modules/services/network-filesystems/samba-wsdd.nix index c68039c79e2..800ef448d37 100644 --- a/nixos/modules/services/network-filesystems/samba-wsdd.nix +++ b/nixos/modules/services/network-filesystems/samba-wsdd.nix @@ -117,7 +117,7 @@ in { PrivateMounts = true; # System Call Filtering SystemCallArchitectures = "native"; - SystemCallFilter = "~@clock @cpu-emulation @debug @module @mount @obsolete @privileged @raw-io @reboot @resources @swap"; + SystemCallFilter = "~@cpu-emulation @debug @mount @obsolete @privileged @resources"; }; }; }; diff --git a/nixos/modules/services/networking/croc.nix b/nixos/modules/services/networking/croc.nix index b218fab2196..9466adf71d8 100644 --- a/nixos/modules/services/networking/croc.nix +++ b/nixos/modules/services/networking/croc.nix @@ -72,9 +72,7 @@ in RuntimeDirectoryMode = "700"; SystemCallFilter = [ "@system-service" - "~@aio" "~@chown" "~@keyring" "~@memlock" - "~@privileged" "~@resources" "~@setuid" - "~@sync" "~@timer" + "~@aio" "~@keyring" "~@memlock" "~@privileged" "~@resources" "~@setuid" "~@sync" "~@timer" ]; SystemCallArchitectures = "native"; SystemCallErrorNumber = "EPERM"; diff --git a/nixos/modules/services/web-apps/shiori.nix b/nixos/modules/services/web-apps/shiori.nix index 8f96dd9b5dd..a15bb9744a9 100644 --- a/nixos/modules/services/web-apps/shiori.nix +++ b/nixos/modules/services/web-apps/shiori.nix @@ -86,10 +86,7 @@ in { SystemCallErrorNumber = "EPERM"; SystemCallFilter = [ "@system-service" - - "~@chown" "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" - "~@module" "~@obsolete" "~@privileged" "~@raw-io" - "~@resources" "~@setuid" + "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@resources" "~@setuid" ]; }; }; diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix index d811879b7b1..033e1584c11 100644 --- a/nixos/modules/services/web-servers/nginx/default.nix +++ b/nixos/modules/services/web-servers/nginx/default.nix @@ -850,7 +850,7 @@ in PrivateMounts = true; # System Call Filtering SystemCallArchitectures = "native"; - SystemCallFilter = "~@chown @cpu-emulation @debug @keyring @ipc @module @mount @obsolete @privileged @raw-io @reboot @setuid @swap"; + SystemCallFilter = "~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid"; }; }; -- cgit 1.4.1