From 2189c4ecce070aa8b301858c43af5facd75dc50d Mon Sep 17 00:00:00 2001
From: Alyssa Ross <hi@alyssa.is>
Date: Fri, 25 Aug 2023 18:28:47 +0000
Subject: modules/spectrum/irccat: fix SystemCallFilter

The set of syscalls it uses appears to have changed in an update.
@system-service is supposed to be "a reasonable set of system calls
used by common system services, excluding any special purpose calls.",
which sounds good enough.
---
 modules/server/spectrum/spectrumbot/irccat/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'modules/server/spectrum/spectrumbot')

diff --git a/modules/server/spectrum/spectrumbot/irccat/default.nix b/modules/server/spectrum/spectrumbot/irccat/default.nix
index 0f5352c761a4..f4efd3828703 100644
--- a/modules/server/spectrum/spectrumbot/irccat/default.nix
+++ b/modules/server/spectrum/spectrumbot/irccat/default.nix
@@ -47,7 +47,7 @@
     serviceConfig.RestrictNamespaces = true;
     serviceConfig.RestrictRealtime = true;
     serviceConfig.SystemCallArchitectures = "native";
-    serviceConfig.SystemCallFilter = "~@clock @cpu-emulation @debug @module @mount @obsolete @privileged @raw-io @reboot @resources @swap";
+    serviceConfig.SystemCallFilter = [ "@system-service" "~@privileged" ];
     serviceConfig.UMask = "0077";
   };
 }
-- 
cgit 1.4.1