From 4a958c802908b90f60f7aac2c85de433c86ec76c Mon Sep 17 00:00:00 2001
From: Lu Wang <rebmit@rebmit.moe>
Date: Fri, 20 Dec 2024 19:35:33 +0800
Subject: [PATCH] lib/misc: filter resources and privileged syscalls

---
 lib/misc/service-hardened.nix | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/misc/service-hardened.nix b/lib/misc/service-hardened.nix
index 9c54436..c9e4d4a 100644
--- a/lib/misc/service-hardened.nix
+++ b/lib/misc/service-hardened.nix
@@ -32,6 +32,11 @@ lib.mapAttrs (_k: lib.mkOptionDefault) {
   RestrictSUIDSGID = true;
   SystemCallArchitectures = "native";
   SystemCallErrorNumber = "EPERM";
-  SystemCallFilter = [ "@system-service" ];
+  SystemCallFilter = [
+    ""
+    "@system-service"
+    "~@resources"
+    "~@privileged"
+  ];
   UMask = "0077";
 }