Merge pull request #181867 from newAM/github-runner

nixos/github-runner: fix systemd defaults for common workflows
2022-07-19 12:56:17 +02:00 · 2022-07-19 12:56:17 +02:00 · bca69a4037
parent a8df6f3109 c34749dd63
commit bca69a4037
1 changed files with 19 additions and 5 deletions
--- a/nixos/modules/services/continuous-integration/github-runner.nix
+++ b/nixos/modules/services/continuous-integration/github-runner.nix
@ -280,7 +280,6 @@ in
        CapabilityBoundingSet = "";
        # ProtectClock= adds DeviceAllow=char-rtc r
        DeviceAllow = "";
-        LockPersonality = true;
        NoNewPrivileges = true;
        PrivateDevices = true;
        PrivateMounts = true;
@ -300,13 +299,17 @@ in
        RestrictSUIDSGID = true;
        UMask = "0066";
        ProtectProc = "invisible";
-        ProcSubset = "pid";
        SystemCallFilter = [
-          "~@debug"
-          "~@mount"
-          "~@privileged"
+          "~@capset"
+          "~@clock"
          "~@cpu-emulation"
+          "~@module"
+          "~@mount"
          "~@obsolete"
+          "~@raw-io"
+          "~@reboot"
+          "~setdomainname"
+          "~sethostname"
        ];
        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ];

@ -314,6 +317,17 @@ in
        PrivateNetwork = false;
        # Cannot be true due to Node
        MemoryDenyWriteExecute = false;
+
+        # The more restrictive "pid" option makes `nix` commands in CI emit
+        # "GC Warning: Couldn't read /proc/stat"
+        # You may want to set this to "pid" if not using `nix` commands
+        ProcSubset = "all";
+        # Coverage programs for compiled code such as `cargo-tarpaulin` disable
+        # ASLR (address space layout randomization) which requires the
+        # `personality` syscall
+        # You may want to set this to `true` if not using coverage tooling on
+        # compiled code
+        LockPersonality = false;
      };
    };
  };