Completely disable sandboxing for build service
Some checks failed
nix-bitcoin tests / build_test_drivers (push) Has been cancelled
nix-bitcoin tests / check_flake (push) Has been cancelled
nix-bitcoin tests / test_scenario (default) (push) Has been cancelled
nix-bitcoin tests / test_scenario (joinmarket-bitcoind-29) (push) Has been cancelled
nix-bitcoin tests / test_scenario (netns) (push) Has been cancelled
nix-bitcoin tests / test_scenario (netnsRegtest) (push) Has been cancelled
Some checks failed
nix-bitcoin tests / build_test_drivers (push) Has been cancelled
nix-bitcoin tests / check_flake (push) Has been cancelled
nix-bitcoin tests / test_scenario (default) (push) Has been cancelled
nix-bitcoin tests / test_scenario (joinmarket-bitcoind-29) (push) Has been cancelled
nix-bitcoin tests / test_scenario (netns) (push) Has been cancelled
nix-bitcoin tests / test_scenario (netnsRegtest) (push) Has been cancelled
This commit is contained in:
Patrick Mulligan
parent
05f5971eed
commit
a4da436061
1 changed files with 12 additions and 3 deletions
|
|
@ -328,11 +328,20 @@ in
|
|||
Group = cfg.group;
|
||||
# Build can take a while, especially on first run
|
||||
TimeoutStartSec = "30min";
|
||||
# Allow write access to data directory for cloning and building
|
||||
ReadWritePaths = [ cfg.dataDir "/tmp" ];
|
||||
# Relax sandboxing for build scripts
|
||||
# Completely disable sandboxing for build (npm scripts need full access)
|
||||
PrivateTmp = false;
|
||||
PrivateDevices = false;
|
||||
ProtectSystem = false;
|
||||
ProtectHome = false;
|
||||
NoNewPrivileges = false;
|
||||
ProtectKernelTunables = false;
|
||||
ProtectKernelModules = false;
|
||||
ProtectControlGroups = false;
|
||||
RestrictNamespaces = false;
|
||||
RestrictSUIDSGID = false;
|
||||
LockPersonality = false;
|
||||
# Don't restrict syscalls
|
||||
SystemCallFilter = "";
|
||||
};
|
||||
|
||||
script = ''
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue