From f61a065b3d7dd0b88b2656d448deefd62b7cc5d7 Mon Sep 17 00:00:00 2001
From: Daniel Schaefer <git@danielschaefer.me>
Date: Wed, 26 Jul 2023 17:19:49 +0800
Subject: nixos/keyd: Allow service to call nice syscall

Otherwise it'll be killed by systemd with
Main process exited, code=killed, status=31/SYS

Signed-off-by: Daniel Schaefer <git@danielschaefer.me>
(cherry picked from commit 6591d332f93422e388ef6337f6b362b4ff8d0724)
---
 nixos/modules/services/hardware/keyd.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'nixos')

diff --git a/nixos/modules/services/hardware/keyd.nix b/nixos/modules/services/hardware/keyd.nix
index 724e9b9568478..77297401a51c7 100644
--- a/nixos/modules/services/hardware/keyd.nix
+++ b/nixos/modules/services/hardware/keyd.nix
@@ -143,7 +143,7 @@ in
         RuntimeDirectory = "keyd";
 
         # Hardening
-        CapabilityBoundingSet = "";
+        CapabilityBoundingSet = [ "CAP_SYS_NICE" ];
         DeviceAllow = [
           "char-input rw"
           "/dev/uinput rw"
@@ -152,7 +152,7 @@ in
         PrivateNetwork = true;
         ProtectHome = true;
         ProtectHostname = true;
-        PrivateUsers = true;
+        PrivateUsers = false;
         PrivateMounts = true;
         PrivateTmp = true;
         RestrictNamespaces = true;
@@ -165,9 +165,9 @@ in
         LockPersonality = true;
         ProtectProc = "invisible";
         SystemCallFilter = [
+          "nice"
           "@system-service"
           "~@privileged"
-          "~@resources"
         ];
         RestrictAddressFamilies = [ "AF_UNIX" ];
         RestrictSUIDSGID = true;
-- 
cgit 1.4.1