diff options
| author | Kevin Cox <kevincox@kevincox.ca> | 2023-08-15 07:58:42 -0400 |
|---|---|---|
| committer | Kevin Cox <kevincox@kevincox.ca> | 2023-08-15 07:58:42 -0400 |
| commit | 86c67a1f112454d3906efd34f5249f3f23dd08fc (patch) | |
| tree | ec95eab4506a5711d076d2b13a05b726d17ea772 /nixos/modules/services/web-apps/photoprism.nix | |
| parent | ea95c0917609e5c48023cc7c6141bea2fdf13970 (diff) | |
| download | nixlib-86c67a1f112454d3906efd34f5249f3f23dd08fc.tar nixlib-86c67a1f112454d3906efd34f5249f3f23dd08fc.tar.gz nixlib-86c67a1f112454d3906efd34f5249f3f23dd08fc.tar.bz2 nixlib-86c67a1f112454d3906efd34f5249f3f23dd08fc.tar.lz nixlib-86c67a1f112454d3906efd34f5249f3f23dd08fc.tar.xz nixlib-86c67a1f112454d3906efd34f5249f3f23dd08fc.tar.zst nixlib-86c67a1f112454d3906efd34f5249f3f23dd08fc.zip | |
nixos.photoprism: Relax sandbox to allow running exiftool
exiftool is written in Perl which appears to call `chown` as part of startup. This is blocked by the `@privileged` system call group. This causes a failure when changing image orientation. Fixes: https://github.com/NixOS/nixpkgs/issues/249120
Diffstat (limited to 'nixos/modules/services/web-apps/photoprism.nix')
| -rw-r--r-- | nixos/modules/services/web-apps/photoprism.nix | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/nixos/modules/services/web-apps/photoprism.nix b/nixos/modules/services/web-apps/photoprism.nix index d5ca6014780a..423ad5375baa 100644 --- a/nixos/modules/services/web-apps/photoprism.nix +++ b/nixos/modules/services/web-apps/photoprism.nix @@ -123,7 +123,7 @@ in RestrictNamespaces = true; RestrictRealtime = true; SystemCallArchitectures = "native"; - SystemCallFilter = [ "@system-service" "~@privileged @setuid @keyring" ]; + SystemCallFilter = [ "@system-service" "~@setuid @keyring" ]; UMask = "0066"; } // lib.optionalAttrs (cfg.port < 1024) { AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; |