diff options
| author | Martin Weinelt <hexa@darmstadt.ccc.de> | 2022-09-04 13:46:35 +0200 |
|---|---|---|
| committer | Martin Weinelt <hexa@darmstadt.ccc.de> | 2022-09-04 16:16:45 +0200 |
| commit | 94f00041f0cd3916be55bc90367a3e160717533f (patch) | |
| tree | ab713423dd670876693636fae5de0467478d670a /nixos | |
| parent | 8da59ca2a25ee6c65089dd7250d1b3322699665c (diff) | |
| download | nixlib-94f00041f0cd3916be55bc90367a3e160717533f.tar nixlib-94f00041f0cd3916be55bc90367a3e160717533f.tar.gz nixlib-94f00041f0cd3916be55bc90367a3e160717533f.tar.bz2 nixlib-94f00041f0cd3916be55bc90367a3e160717533f.tar.lz nixlib-94f00041f0cd3916be55bc90367a3e160717533f.tar.xz nixlib-94f00041f0cd3916be55bc90367a3e160717533f.tar.zst nixlib-94f00041f0cd3916be55bc90367a3e160717533f.zip | |
nixos/paperless: Allow mbind syscall in paperless-web.services
After uploading a document through the webinterface I started seeing it killed through the SYSBUS signal. Inspecting the call trace led me to liblapack's memory allocator, that uses the mbind syscall on Linux.
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/misc/paperless.nix | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/nixos/modules/services/misc/paperless.nix b/nixos/modules/services/misc/paperless.nix index fbf1338a0dff..c17bde0da33c 100644 --- a/nixos/modules/services/misc/paperless.nix +++ b/nixos/modules/services/misc/paperless.nix @@ -287,8 +287,8 @@ in AmbientCapabilities = "CAP_NET_BIND_SERVICE"; CapabilityBoundingSet = "CAP_NET_BIND_SERVICE"; - # gunicorn needs setuid - SystemCallFilter = defaultServiceConfig.SystemCallFilter ++ [ "@setuid" ]; + # gunicorn needs setuid, liblapack needs mbind + SystemCallFilter = defaultServiceConfig.SystemCallFilter ++ [ "@setuid mbind" ]; # Needs to serve web page PrivateNetwork = false; }; |