movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-14 06:00:33 +03:00
Code Activity

nixos.photoprism: Relax sandbox to allow running exiftool

Browse source 
exiftool is written in Perl which appears to call `chown` as part of startup. This is blocked by the `@privileged` system call group. This causes a failure when changing image orientation.

Fixes: https://github.com/NixOS/nixpkgs/issues/249120
This commit is contained in:
Kevin Cox 2023-08-15 07:58:42 -04:00
parent ea95c09176
commit 86c67a1f11
No known key found for this signature in database
GPG key ID: 9BB92CC1552E99AA
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
nixos/modules/services/web-apps/photoprism.nix
View file

@ -123,7 +123,7 @@ in
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" "~@privileged @setuid @keyring" ];
SystemCallFilter = [ "@system-service" "~@setuid @keyring" ];
UMask = "0066";
} // lib.optionalAttrs (cfg.port < 1024) {
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];