nixos/keyd: Allow service to call nice syscall

Otherwise it'll be killed by systemd with Main process exited, code=killed, status=31/SYS Signed-off-by: Daniel Schaefer <git@danielschaefer.me>
2023-07-26 17:19:49 +08:00 · 2023-07-26 17:19:49 +08:00 · 6591d332f9
commit 6591d332f9
parent 1718e247eb
1 changed files with 3 additions and 3 deletions
--- a/nixos/modules/services/hardware/keyd.nix
+++ b/nixos/modules/services/hardware/keyd.nix
@ -133,7 +133,7 @@ in
        RuntimeDirectory = "keyd";

        # Hardening
-        CapabilityBoundingSet = "";
+        CapabilityBoundingSet = [ "CAP_SYS_NICE" ];
        DeviceAllow = [
          "char-input rw"
          "/dev/uinput rw"
@ -142,7 +142,7 @@ in
        PrivateNetwork = true;
        ProtectHome = true;
        ProtectHostname = true;
-        PrivateUsers = true;
+        PrivateUsers = false;
        PrivateMounts = true;
        PrivateTmp = true;
        RestrictNamespaces = true;
@ -155,9 +155,9 @@ in
        LockPersonality = true;
        ProtectProc = "invisible";
        SystemCallFilter = [
+          "nice"
          "@system-service"
          "~@privileged"
-          "~@resources"
        ];
        RestrictAddressFamilies = [ "AF_UNIX" ];
        RestrictSUIDSGID = true;