module.nix: relax hardening

2024-10-22 19:49:52 +02:00 · 2024-10-22 19:49:52 +02:00 · 355d2ad13d
parent 9934b11766
commit 355d2ad13d
1 changed files with 8 additions and 6 deletions
--- a/module.nix
+++ b/module.nix
@ -135,18 +135,20 @@ in
          ProtectKernelModules = true;
          ProtectKernelTunables = true;
          ProtectProc = "invisible";
-          ProtectSystem = "full";
+          # I'll figure it out sometime
+          # ProtectSystem = "full";
          RemoveIPC = true;
          UMask = "0077";
          RestrictNamespaces = true;
          RestrictRealtime = true;
          RestrictSUIDSGID = true;
          SystemCallArchitectures = "native";
-          SystemCallFilter = [
-            "@system-service"
-            "~@privileged"
-            "~@resources"
-          ];
+          # Something brokey
+          # SystemCallFilter = [
+          #   "@system-service"
+          #   "~@privileged"
+          #   "~@resources"
+          # ];
        };
      };
    })