nixos/matrix-appservice-irc: fix chown of registration.yml in pre-script

Before the startup, the matrix-appservice-irc service sets up the registration file such that it can be used by matrix-synapse. Part of that setup requires us to change the group of said file so that the home server can read it. Consequently, we need CAP_CHOWN and require that the @chown system calls are allowed. While we supposedly set up both of these, the setup of system calls is broken as we have both an allow and a deny list of syscalls. But while the allow list contains "@chown", the deny list contains "@privileged" which contains "@chown" itself. So ultimately, we end up denying "@chown". Fix this issue by specifying "@chown" after the deny list.
2024-04-27 15:19:28 +02:00 · 2024-04-27 15:19:28 +02:00 · ff3358b3f5
commit ff3358b3f5
parent 60cb88cc49
1 changed files with 2 additions and 1 deletions
--- a/nixos/modules/services/matrix/appservice-irc.nix
+++ b/nixos/modules/services/matrix/appservice-irc.nix
@ -214,8 +214,9 @@ in {
        RestrictRealtime = true;
        PrivateMounts = true;
        SystemCallFilter = [
-          "@system-service @pkey @chown"
+          "@system-service @pkey"
          "~@privileged @resources"
+          "@chown"
        ];
        SystemCallArchitectures = "native";
        # AF_UNIX is required to connect to a postgres socket.