pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #182342 from veehaitch/github-runner-capset

nixos/github-runner: fix capset syscall filtering

authored by winter.bsky.social and committed by GitHub 2922becf 4152f64e

+1 -1
unified split
+1 -1
nixos/modules/services/continuous-integration/github-runner.nix
··· 300 300 UMask = "0066"; 301 301 ProtectProc = "invisible"; 302 302 SystemCallFilter = [ 303 - "~@capset" 304 303 "~@clock" 305 304 "~@cpu-emulation" 306 305 "~@module" ··· 308 307 "~@obsolete" 309 308 "~@raw-io" 310 309 "~@reboot" 310 + "~capset" 311 311 "~setdomainname" 312 312 "~sethostname" 313 313 ];