commit 2922becf6d9701c3fc3dc7f4fe843980eb7d9d2d · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

Merge pull request #182342 from veehaitch/github-runner-capset

nixos/github-runner: fix capset syscall filtering

authored by winter.bsky.social and committed by GitHub 3 years ago 2922becf 4152f64e

+1 -1

1 changed file

expand all

unified split

nixos

modules

services

continuous-integration

github-runner.nix

+1 -1

nixos/modules/services/continuous-integration/github-runner.nix

··· 300 UMask = "0066"; 301 ProtectProc = "invisible"; 302 SystemCallFilter = [ 303 - "~@capset" 304 "~@clock" 305 "~@cpu-emulation" 306 "~@module" ··· 308 "~@obsolete" 309 "~@raw-io" 310 "~@reboot" 311 "~setdomainname" 312 "~sethostname" 313 ];

··· 300 UMask = "0066"; 301 ProtectProc = "invisible"; 302 SystemCallFilter = [ 303 "~@clock" 304 "~@cpu-emulation" 305 "~@module" ··· 307 "~@obsolete" 308 "~@raw-io" 309 "~@reboot" 310 + "~capset" 311 "~setdomainname" 312 "~sethostname" 313 ];