diff --git a/module.nix b/module.nix index 06981d1..1b0710c 100644 --- a/module.nix +++ b/module.nix @@ -62,33 +62,33 @@ in Group = cfg.group; PrivateMounts = true; - PrivateDevices = true; - PrivateTmp = true; - PrivateIPC = true; - PrivateUsers = true; + # PrivateDevices = true; + # PrivateTmp = true; + # PrivateIPC = true; + # PrivateUsers = true; - SystemCallFilters = [ - "@aio" - "@basic-io" - "@file-system" - "@io-event" - "@process" - "@network-io" - "@timer" - "@signal" - "@alarm" - ]; - SystemCallErrorNumber = "EPERM"; + # SystemCallFilters = [ + # "@aio" + # "@basic-io" + # "@file-system" + # "@io-event" + # "@process" + # "@network-io" + # "@timer" + # "@signal" + # "@alarm" + # ]; + # SystemCallErrorNumber = "EPERM"; - ProtectSystem = "full"; - ProtectHome = true; - ProtectHostname = true; - ProtectClock = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectKernelLogs = true; - ProtectControlGroups = true; - RestrictNamespaces = ""; + # ProtectSystem = "full"; + # ProtectHome = true; + # ProtectHostname = true; + # ProtectClock = true; + # ProtectKernelTunables = true; + # ProtectKernelModules = true; + # ProtectKernelLogs = true; + # ProtectControlGroups = true; + # RestrictNamespaces = ""; NoNewPrivileges = true; ReadOnlyPaths = lib.mkMerge [