nixos/keyd: Allow service to call nice syscall

Otherwise it'll be killed by systemd with Main process exited, code=killed, status=31/SYS Signed-off-by: Daniel Schaefer <git@danielschaefer.me>
NixOS · Jul 26, 2023 · 6591d33 · 6591d33
1 parent 1718e24
commit 6591d33
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/nixos/modules/services/hardware/keyd.nix b/nixos/modules/services/hardware/keyd.nix
@@ -133,7 +133,7 @@ in
         RuntimeDirectory = "keyd";
 
         # Hardening
-        CapabilityBoundingSet = "";
+        CapabilityBoundingSet = [ "CAP_SYS_NICE" ];
         DeviceAllow = [
           "char-input rw"
           "/dev/uinput rw"
@@ -142,7 +142,7 @@ in
         PrivateNetwork = true;
         ProtectHome = true;
         ProtectHostname = true;
-        PrivateUsers = true;
+        PrivateUsers = false;
         PrivateMounts = true;
         PrivateTmp = true;
         RestrictNamespaces = true;
@@ -155,9 +155,9 @@ in
         LockPersonality = true;
         ProtectProc = "invisible";
         SystemCallFilter = [
+          "nice"
           "@system-service"
           "~@privileged"
-          "~@resources"
         ];
         RestrictAddressFamilies = [ "AF_UNIX" ];
         RestrictSUIDSGID = true;