Skip to content

Commit 2cee857

Browse files
committed
fix: allow AF_NETLINK in systemd unit
1 parent b49862f commit 2cee857

File tree

2 files changed

+19
-3
lines changed

2 files changed

+19
-3
lines changed

docs/INSTALL.md

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -199,11 +199,26 @@ Common symptoms:
199199
|---------|-------|-----|
200200
| V8/Node.js crash (`ENOMEM` in `SetPermissions`) | `MemoryDenyWriteExecute=true` | Set to `false` |
201201
| "token invalid" / network errors | `RestrictAddressFamilies=AF_UNIX` | Add `AF_INET AF_INET6` |
202+
| Node/libuv fails enumerating interfaces after a runtime update | `RestrictAddressFamilies` missing `AF_NETLINK` | Add `AF_NETLINK` |
202203
| Tool hangs or gets killed | `SystemCallFilter` too strict | Check `journalctl` for SECCOMP audit messages |
203204
| "Read-only file system" on git fetch/push | `ProtectHome=read-only` blocks workspace writes | Add `ReadWritePaths=/path/to/workspace` |
204205

205206
After changes: `sudo systemctl daemon-reload && sudo systemctl restart claw-wrap`
206207

208+
If you installed an older copy of the unit before this fix landed, update the service
209+
or add an override:
210+
211+
```bash
212+
sudo systemctl edit claw-wrap.service
213+
```
214+
215+
Add:
216+
217+
```ini
218+
[Service]
219+
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
220+
```
221+
207222
### Workspace write failures (git, file operations)
208223

209224
The default unit has `ProtectHome=read-only`, which makes `/home` read-only for the daemon

init/claw-wrap.service

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -47,9 +47,10 @@ SystemCallFilter=@system-service
4747
# TOOL-DEPENDENT — adjust based on your configured tools:
4848
#
4949
# Network access: tools that call external APIs (gh, gog, strawpoll)
50-
# need AF_INET/AF_INET6. Only use AF_UNIX alone if ALL tools are
51-
# local/offline.
52-
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
50+
# need AF_INET/AF_INET6. Node/libuv may also need AF_NETLINK to
51+
# enumerate network interfaces. Only use AF_UNIX alone if ALL tools
52+
# are local/offline.
53+
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
5354
#
5455
# JIT memory: Node.js (bird), Python, and other runtimes with JIT
5556
# compilers need writable+executable memory. Set to true only if

0 commit comments

Comments
 (0)