theraw/The-World-Is-Yours
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

systemd: drop @resources from SystemCallFilter blocklist (nginx workers need prlimit64); set SystemCallErrorNumber=EPERM
build-and-publish / build (ubuntu:26.04, NEXUS_PASS_RACCOON, NEXUS_REPO_RACCOON, NEXUS_USER_RACCOON, raccoon) (push) Has been cancelled
Details
build-and-publish / build (debian:13, NEXUS_PASS_TRIXIE, NEXUS_REPO_TRIXIE, NEXUS_USER_TRIXIE, trixie) (push) Has been cancelled
Details

Browse Source
This commit is contained in:
root
2026-04-26 05:19:29 +00:00
parent a9a9981ae5
commit be3fb4a68f
2 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
static/Raccoon/nginx.service
+2 -1
View File
@@ -41,7 +41,8 @@ RestrictSUIDSGID=true
LockPersonality=true LockPersonality=true
SystemCallArchitectures=native SystemCallArchitectures=native
SystemCallFilter=@system-service SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources @mount @debug @cpu-emulation @obsolete @raw-io @reboot @swap SystemCallFilter=~@privileged @mount @debug @cpu-emulation @obsolete @raw-io @reboot @swap
SystemCallErrorNumber=EPERM
# Paths nginx legitimately writes to. ProtectSystem=strict makes everything # Paths nginx legitimately writes to. ProtectSystem=strict makes everything
# else read-only; these carve out the exceptions. # else read-only; these carve out the exceptions.
static/Trixie/nginx.service
+2 -1
View File
@@ -41,7 +41,8 @@ RestrictSUIDSGID=true
LockPersonality=true LockPersonality=true
SystemCallArchitectures=native SystemCallArchitectures=native
SystemCallFilter=@system-service SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources @mount @debug @cpu-emulation @obsolete @raw-io @reboot @swap SystemCallFilter=~@privileged @mount @debug @cpu-emulation @obsolete @raw-io @reboot @swap
SystemCallErrorNumber=EPERM
# Paths nginx legitimately writes to. ProtectSystem=strict makes everything # Paths nginx legitimately writes to. ProtectSystem=strict makes everything
# else read-only; these carve out the exceptions. # else read-only; these carve out the exceptions.