b12f/nixpkgs
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

nixos/grafana: loosen systemd syscall sandboxing

Browse source 
Allow @resources syscalls in the grafana.service unit. While Grafana
itself does not need them, some plugins (incl. first party) crash if
they fail to setrlimit. This was first seen with the official grafana
Clickhouse datasource plugin.

The @resources syscalls set is fairly harmess anyway.
This commit is contained in:
Pierre Bourdon 2022-09-06 02:10:47 +02:00
parent 76daf3b9da
commit bfe73f9543
No known key found for this signature in database
GPG key ID: 6FB80DCD84DA0F1C
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
nixos/modules/services/monitoring/grafana.nix
View file

@ -792,7 +792,7 @@ in {
SystemCallArchitectures = "native";
# Upstream grafana is not setting SystemCallFilter for compatibility
# reasons, see https://github.com/grafana/grafana/pull/40176
SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];
SystemCallFilter = [ "@system-service" "~@privileged" ];
UMask = "0027";
};
preStart = ''