Allow github runner to run sudo commands

So i have added a few sudo rows to my sudoes file that allows the user that is running the github runner to specific sudo commands without password.
This works great when I run the manually as that user.
But when I try to execute them from the github runner i get the error

sudo: The "no new privileges" flag is set, which prevents sudo from running as root.
sudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag.

I set the NoNewPrivileges to false using services.github-runners..serviceOverrides and its correctly reflected in the service file, but sadly that didn’t work as I still get the same error.

So then i found the following text here

NoNewPrivileges
Takes a boolean argument. If true, ensures that the service process and all its children can never gain new privileges through execve() (e.g. via setuid or setgid bits, or filesystem capabilities). This is the simplest and most effective way to ensure that a process and its children can never elevate privileges again. Defaults to false, but certain settings override this and ignore the value of this setting. This is the case when SystemCallFilter=, SystemCallArchitectures=, RestrictAddressFamilies=, RestrictNamespaces=, PrivateDevices=, ProtectKernelTunables=, ProtectKernelModules=, MemoryDenyWriteExecute=, RestrictRealtime=, RestrictSUIDSGID=, DynamicUser= or LockPersonality= are specified. Note that even if this setting is overridden by them, systemctl show shows the original value of this setting. See also: No New Privileges Flag.

Using serviceOverrides i can turn off all flags, but lists like SystemCallFilter and RestrictAddressFamilies are merged with the base definition…

So even if i write

RestrictAddressFamilies = [];
SystemCallFilter = [];

Nix still generates

RestrictAddressFamilies=AF_INET
RestrictAddressFamilies=AF_INET6
RestrictAddressFamilies=AF_UNIX
RestrictAddressFamilies=AF_NETLINK
SystemCallFilter=~@clock
SystemCallFilter=~@cpu-emulation
SystemCallFilter=~@module
SystemCallFilter=~@mount
SystemCallFilter=~@obsolete
SystemCallFilter=~@raw-io
SystemCallFilter=~@reboot
SystemCallFilter=~capset
SystemCallFilter=~setdomainname
SystemCallFilter=~sethostname

Is there someway to clear them or is there some other way to achieve sudo commands?

I managed to clear them using

RestrictAddressFamilies = lib.mkForce [];
SystemCallFilter = lib.mkForce [];

If this is the correct way i don’t know, but it works.

But now I get the error

sudo: /nix/store/k4wv1x26rba1hz725dcsawlzfpg3ywbl-sudo-1.9.15p5/bin/sudo must be owned by uid 0 and have the setuid bit set

My guess is that i added sudo incorrectly

extraPackages = with pkgs; [
  sudo
];

The sudo command that’s typically run is actually a suid wrapper in /run/wrappers/bin