pyrox.dev / nixpkgs
lol
fork atom

nixos/yggdrasil: set proper SystemCallFilter

MidAutumnMoon 7742cd54 ae025da5

options
unified split
Changed files
+1 -1
nixos
modules
services
networking
yggdrasil.nix
+1 -1
nixos/modules/services/networking/yggdrasil.nix 
···

       
180

       
180

       
 

       
        RestrictNamespaces = true;


     

       
181

       
181

       
 

       
        RestrictRealtime = true;


     

       
182

       
182

       
 

       
        SystemCallArchitectures = "native";


     

       
183

       

       
-

       
        SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @resources";


     

       

       
183

       
+

       
        SystemCallFilter = [ "@system-service" "~@privileged @keyring" ];


     

       
184

       
184

       
 

       
      } // (if (cfg.group != null) then {


     

       
185

       
185

       
 

       
        Group = cfg.group;


     

       
186

       
186

       
 

       
      } else {});