nixos/gotenberg: fix service config for chromium (NixOS#346639)

FliegendeWurst · web-flow · commit 63a6762cdfe7 · 2024-12-06T11:10:15.000+01:00
diff --git a/nixos/modules/services/misc/gotenberg.nix b/nixos/modules/services/misc/gotenberg.nix
@@ -228,7 +228,6 @@ in
         ProtectKernelModules = true;
         ProtectKernelTunables = true;
         ProtectProc = "invisible";
-        ProcSubset = "pid";
 
         RestrictAddressFamilies = [
           "AF_UNIX"
@@ -240,11 +239,10 @@ in
         RestrictRealtime = true;
 
         LockPersonality = true;
-        MemoryDenyWriteExecute = true;
 
         SystemCallFilter = [
+          "@sandbox"
           "@system-service"
-          "~@privileged"
         ];
         SystemCallArchitectures = "native";
 
