Configures the syscall filter for postgresql.service. The keys are declarations for SystemCallFilter as described in systemd.exec(5).
The value is a boolean: true adds the attribute name to the syscall filter-set, false doesn't. This is done to allow downstream configurations to turn off restrictions made here. E.g. with
{
services.postgresql.systemCallFilter."~@resources" = false;
}
it's possible to remove the restriction on @resources (keep in mind that @system-service implies @resources).
As described in the section for , the ordering matters. Hence, it's also possible to specify customizations with
{
services.postgresql.systemCallFilter = {
"foobar" = { enable = true; priority = 23; };
};
}
is the flag whether or not it will be added to the SystemCallFilter of postgresql.service.
Settings with a higher priority are added after filter settings with a lower priority. Hence, syscall groups with a higher priority can discard declarations with a lower priority.
By default, syscall groups (i.e. attribute names starting with @) are added before negated groups (i.e. ~@ as prefix) before syscall names and negations.
attribute set of ((submodule) or boolean convertible to it){
"@system-service" = true;
"~@privileged" = true;
"~@resources" = true;
}