nixos/github-runner: fix capset syscall filtering

capset(2) is a single system call, not a set of multiple system calls.
2025-07-08 11:35:37 +03:00 · 2022-07-21 16:08:15 +02:00 · 2022-07-21 16:08:15 +02:00 · 539b61ea37
commit 539b61ea37
parent e3a3abe560
1 changed files with 1 additions and 1 deletions
--- a/nixos/modules/services/continuous-integration/github-runner.nix
+++ b/nixos/modules/services/continuous-integration/github-runner.nix
@ -300,7 +300,6 @@ in
        UMask = "0066";
        ProtectProc = "invisible";
        SystemCallFilter = [
-          "~@capset"
          "~@clock"
          "~@cpu-emulation"
          "~@module"
@ -308,6 +307,7 @@ in
          "~@obsolete"
          "~@raw-io"
          "~@reboot"
+          "~capset"
          "~setdomainname"
          "~sethostname"
        ];