From 7742cd543da19a9b7bc32ead0394dfa9ff5c4bd1 Mon Sep 17 00:00:00 2001
From: MidAutumnMoon <me@418.im>
Date: Tue, 25 Oct 2022 16:09:31 +0800
Subject: nixos/yggdrasil: set proper SystemCallFilter

---
 nixos/modules/services/networking/yggdrasil.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'nixos/modules/services/networking/yggdrasil.nix')

diff --git a/nixos/modules/services/networking/yggdrasil.nix b/nixos/modules/services/networking/yggdrasil.nix
index e56f169d05e..3d5cbdd2dc3 100644
--- a/nixos/modules/services/networking/yggdrasil.nix
+++ b/nixos/modules/services/networking/yggdrasil.nix
@@ -180,7 +180,7 @@ in {
         RestrictNamespaces = true;
         RestrictRealtime = true;
         SystemCallArchitectures = "native";
-        SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @resources";
+        SystemCallFilter = [ "@system-service" "~@privileged @keyring" ];
       } // (if (cfg.group != null) then {
         Group = cfg.group;
       } else {});
-- 
cgit 1.4.1