clightning: re-enable seccomp filtering

This commit is contained in:
nixbitcoin 2021-12-08 12:13:09 +00:00
parent 16f5aa0561
commit 1a8e7d6348
No known key found for this signature in database
GPG Key ID: B6044ECBA2DAE5D0

View File

@ -148,14 +148,6 @@ in {
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
ReadWritePaths = cfg.dataDir; ReadWritePaths = cfg.dataDir;
# TODO-EXTERNAL:
# The seccomp version used by systemd in NixOS 21.05 doesn't support
# handling syscall 436 (close_range), which has only recently been added:
# https://github.com/seccomp/libseccomp/commit/ac849e7960547d418009a783da654d5917dbfe2d
#
# Disable seccomp filtering because clightning depends on this syscall.
SystemCallFilter = [];
} // nbLib.allowedIPAddresses cfg.tor.enforce; } // nbLib.allowedIPAddresses cfg.tor.enforce;
# Wait until the rpc socket appears # Wait until the rpc socket appears
postStart = '' postStart = ''