From 13d8ed59016e492edc92407d4691e45b4fc09d4e Mon Sep 17 00:00:00 2001
From: Lu Wang <rebmit@rebmit.moe>
Date: Fri, 20 Dec 2024 16:36:02 +0800
Subject: [PATCH] lib/misc: add umask to serviceHardened

---
 lib/misc/service-hardened.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/misc/service-hardened.nix b/lib/misc/service-hardened.nix
index 0d021c6..9c54436 100644
--- a/lib/misc/service-hardened.nix
+++ b/lib/misc/service-hardened.nix
@@ -33,4 +33,5 @@ lib.mapAttrs (_k: lib.mkOptionDefault) {
   SystemCallArchitectures = "native";
   SystemCallErrorNumber = "EPERM";
   SystemCallFilter = [ "@system-service" ];
+  UMask = "0077";
 }