pyrox.dev / nixpkgs
lol
fork atom

nixos/geoipupdate: set proper SystemCallFilter

MidAutumnMoon f4342c11 4fffb0e5

options
unified split
Changed files
+1 -1
nixos
modules
services
misc
geoipupdate.nix
+1 -1
nixos/modules/services/misc/geoipupdate.nix 
···

       
197

       
197

       
 

       
        ProtectKernelTunables = true;


     

       
198

       
198

       
 

       
        ProtectProc = "invisible";


     

       
199

       
199

       
 

       
        ProcSubset = "pid";


     

       
200

       

       
-

       
        SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ];


     

       

       
200

       
+

       
        SystemCallFilter = [ "@system-service" "~@privileged" ];


     

       
201

       
201

       
 

       
        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];


     

       
202

       
202

       
 

       
        RestrictRealtime = true;


     

       
203

       
203

       
 

       
        RestrictNamespaces = true;