pyrox.dev
lol
nixos/yggdrasil: set proper SystemCallFilter
+1
-1
+1
-1
nixos/modules/services/networking/yggdrasil.nix
+1
-1
nixos/modules/services/networking/yggdrasil.nix
···
180
180
RestrictNamespaces = true;
181
181
RestrictRealtime = true;
182
182
SystemCallArchitectures = "native";
183
-
SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @resources";
183
+
SystemCallFilter = [ "@system-service" "~@privileged @keyring" ];
184
184
} // (if (cfg.group != null) then {
185
185
Group = cfg.group;
186
186
} else {});