nixos/geoipupdate: set proper SystemCallFilter

pyrox.dev / nixpkgs

fork atom

lol

fork atom

MidAutumnMoon 3 years ago f4342c11 4fffb0e5

+1 -1

1 changed file

expand all

nixos

modules

services

misc

geoipupdate.nix

+1 -1

nixos/modules/services/misc/geoipupdate.nix

··· 197 197 ProtectKernelTunables = true; 198 198 ProtectProc = "invisible"; 199 199 ProcSubset = "pid"; 200 - SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; 200 + SystemCallFilter = [ "@system-service" "~@privileged" ]; 201 201 RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; 202 202 RestrictRealtime = true; 203 203 RestrictNamespaces = true;