Merge pull request #182342 from veehaitch/github-runner-capset

nixos/github-runner: fix capset syscall filtering
2022-07-21 11:26:34 -04:00 · 2022-07-21 11:26:34 -04:00 · 2922becf6d
commit 2922becf6d
parent 4152f64e90 539b61ea37
1 changed files with 1 additions and 1 deletions
--- a/nixos/modules/services/continuous-integration/github-runner.nix
+++ b/nixos/modules/services/continuous-integration/github-runner.nix
@ -300,7 +300,6 @@ in
        UMask = "0066";
        ProtectProc = "invisible";
        SystemCallFilter = [
          "~@capset"
          "~@clock"
          "~@cpu-emulation"
          "~@module"
@ -308,6 +307,7 @@ in
          "~@obsolete"
          "~@raw-io"
          "~@reboot"
          "~capset"
          "~setdomainname"
          "~sethostname"
        ];