nixos/grafana: allow @chown syscalls when using unix sockets

Grafana will unconditionally call chown on the socket after creating it, even if the configuration does not ask for a different socket gid.
2024-09-21 04:49:01 +02:00 · 2022-12-13 02:47:50 +01:00 · 2022-12-13 02:47:50 +01:00 · 9be81d0acf
parent c2720cebe7
commit 9be81d0acf
1 changed files with 4 additions and 1 deletions
--- a/nixos/modules/services/monitoring/grafana.nix
+++ b/nixos/modules/services/monitoring/grafana.nix
@ -1291,7 +1291,10 @@ in {
        SystemCallArchitectures = "native";
        # Upstream grafana is not setting SystemCallFilter for compatibility
        # reasons, see https://github.com/grafana/grafana/pull/40176
-        SystemCallFilter = [ "@system-service" "~@privileged" ];
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged"
+        ] ++ lib.optional (cfg.settings.server.protocol == "socket") [ "@chown" ];
        UMask = "0027";
      };
      preStart = ''