diff options
| author | Daniel Schaefer <git@danielschaefer.me> | 2023-07-26 17:19:49 +0800 |
|---|---|---|
| committer | github-actions[bot] <github-actions[bot]@users.noreply.github.com> | 2024-01-31 10:18:06 +0000 |
| commit | f61a065b3d7dd0b88b2656d448deefd62b7cc5d7 (patch) | |
| tree | 4fafd4547ec4130f85992cf0384abec5e82e97e3 /nixos/modules | |
| parent | da9bd4f6d6d10d1e0d83d611c1ff426c8c016e95 (diff) | |
nixos/keyd: Allow service to call nice syscall
Otherwise it'll be killed by systemd with Main process exited, code=killed, status=31/SYS Signed-off-by: Daniel Schaefer <git@danielschaefer.me> (cherry picked from commit 6591d332f93422e388ef6337f6b362b4ff8d0724)
Diffstat (limited to 'nixos/modules')
| -rw-r--r-- | nixos/modules/services/hardware/keyd.nix | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/nixos/modules/services/hardware/keyd.nix b/nixos/modules/services/hardware/keyd.nix index 724e9b9568478..77297401a51c7 100644 --- a/nixos/modules/services/hardware/keyd.nix +++ b/nixos/modules/services/hardware/keyd.nix @@ -143,7 +143,7 @@ in RuntimeDirectory = "keyd"; # Hardening - CapabilityBoundingSet = ""; + CapabilityBoundingSet = [ "CAP_SYS_NICE" ]; DeviceAllow = [ "char-input rw" "/dev/uinput rw" @@ -152,7 +152,7 @@ in PrivateNetwork = true; ProtectHome = true; ProtectHostname = true; - PrivateUsers = true; + PrivateUsers = false; PrivateMounts = true; PrivateTmp = true; RestrictNamespaces = true; @@ -165,9 +165,9 @@ in LockPersonality = true; ProtectProc = "invisible"; SystemCallFilter = [ + "nice" "@system-service" "~@privileged" - "~@resources" ]; RestrictAddressFamilies = [ "AF_UNIX" ]; RestrictSUIDSGID = true; |