servo: lemmy/lemmy-ui: harden the service with a syscall filter

2024-07-29 02:19:02 +00:00
parent 0fae963d90
commit 2c707c3acd
1 changed files with 1 additions and 1 deletions
--- a/hosts/by-name/servo/services/lemmy.nix
+++ b/hosts/by-name/servo/services/lemmy.nix
@@ -132,7 +132,7 @@ in {
    serviceConfig.RestrictNamespaces = true;
    serviceConfig.RestrictSUIDSGID = true;
    serviceConfig.SystemCallArchitectures = "native";
-    # serviceConfig.SystemCallFilter = [ "@system-service" ];  #< TODO: this crashes; it needs more
+    serviceConfig.SystemCallFilter = [ "@system-service" "@pkey" "@sandbox" ];
  };

  #v DO NOT REMOVE: defaults to 0.3, instead of latest, so always need to explicitly set this.