fix: add dup3, getsockname, symlink to GPU seccomp allowlist

These syscalls were being denied in enforcing mode, causing GPU device units to fail. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-21 15:13:35 +00:00 · 2026-03-21 15:13:35 +00:00 · d486c7ee0c
commit d486c7ee0c
parent d3d869c1ab
1 changed files with 3 additions and 0 deletions
--- a/modules/services.nix
+++ b/modules/services.nix
@ -74,6 +74,7 @@ let
    "connect"
    "dup"
    "dup2"
+    "dup3"
    "epoll_create1"
    "epoll_ctl"
    "epoll_pwait"
@ -101,6 +102,7 @@ let
    "getrandom"
    "getresgid"
    "getresuid"
+    "getsockname"
    "getsockopt"
    "gettid"
    "gettimeofday"
@ -168,6 +170,7 @@ let
    "stat"
    "statfs"
    "statx"
+    "symlink"
    "sysinfo"
    "tgkill"
    "uname"