lib/misc: filter resources and privileged syscalls

2024-12-20 19:35:33 +08:00 · 2024-12-20 19:35:33 +08:00 · 4a958c8029
parent 13d8ed5901
commit 4a958c8029
1 changed files with 6 additions and 1 deletions
--- a/lib/misc/service-hardened.nix
+++ b/lib/misc/service-hardened.nix
@ -32,6 +32,11 @@ lib.mapAttrs (_k: lib.mkOptionDefault) {
  RestrictSUIDSGID = true;
  SystemCallArchitectures = "native";
  SystemCallErrorNumber = "EPERM";
-  SystemCallFilter = [ "@system-service" ];
+  SystemCallFilter = [
+    ""
+    "@system-service"
+    "~@resources"
+    "~@privileged"
+  ];
  UMask = "0077";
 }