From 539b61ea378cbdf0e99fc5467312714e4fd05cc3 Mon Sep 17 00:00:00 2001 From: Vincent Haupert Date: Thu, 21 Jul 2022 16:08:15 +0200 Subject: [PATCH] nixos/github-runner: fix capset syscall filtering capset(2) is a single system call, not a set of multiple system calls. --- nixos/modules/services/continuous-integration/github-runner.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/services/continuous-integration/github-runner.nix b/nixos/modules/services/continuous-integration/github-runner.nix index a64d08c36cbb..19e73582a090 100644 --- a/nixos/modules/services/continuous-integration/github-runner.nix +++ b/nixos/modules/services/continuous-integration/github-runner.nix @@ -300,7 +300,6 @@ in UMask = "0066"; ProtectProc = "invisible"; SystemCallFilter = [ - "~@capset" "~@clock" "~@cpu-emulation" "~@module" @@ -308,6 +307,7 @@ in "~@obsolete" "~@raw-io" "~@reboot" + "~capset" "~setdomainname" "~sethostname" ];