Let's disable some security.

2021-10-17 14:05:45 +02:00 · 2021-10-17 14:05:45 +02:00 · 4ee7a3abc1
commit 4ee7a3abc1
parent c9644c3fd7
1 changed files with 25 additions and 25 deletions
--- a/module.nix
+++ b/module.nix
@ -62,33 +62,33 @@ in
        Group = cfg.group;

        PrivateMounts = true;
-        PrivateDevices = true;
-        PrivateTmp = true;
-        PrivateIPC = true;
-        PrivateUsers = true;
+        # PrivateDevices = true;
+        # PrivateTmp = true;
+        # PrivateIPC = true;
+        # PrivateUsers = true;

-        SystemCallFilters = [
-          "@aio"
-          "@basic-io"
-          "@file-system"
-          "@io-event"
-          "@process"
-          "@network-io"
-          "@timer"
-          "@signal"
-          "@alarm"
-        ];
-        SystemCallErrorNumber = "EPERM";
+        # SystemCallFilters = [
+        #   "@aio"
+        #   "@basic-io"
+        #   "@file-system"
+        #   "@io-event"
+        #   "@process"
+        #   "@network-io"
+        #   "@timer"
+        #   "@signal"
+        #   "@alarm"
+        # ];
+        # SystemCallErrorNumber = "EPERM";

-        ProtectSystem = "full";
-        ProtectHome = true;
-        ProtectHostname = true;
-        ProtectClock = true;
-        ProtectKernelTunables = true;
-        ProtectKernelModules = true;
-        ProtectKernelLogs = true;
-        ProtectControlGroups = true;
-        RestrictNamespaces = "";
+        # ProtectSystem = "full";
+        # ProtectHome = true;
+        # ProtectHostname = true;
+        # ProtectClock = true;
+        # ProtectKernelTunables = true;
+        # ProtectKernelModules = true;
+        # ProtectKernelLogs = true;
+        # ProtectControlGroups = true;
+        # RestrictNamespaces = "";

        NoNewPrivileges = true;
        ReadOnlyPaths = lib.mkMerge [