From 1f9cffdf50ad9e693194da514135163879f4485c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?F=C3=A9lix=20Pi=C3=A9dallu?= <felix@piedallu.me>
Date: Tue, 6 Feb 2024 10:24:48 +0100
Subject: [PATCH] Fix sandboxing: disable @privileged

---
 conf/systemd.service | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/conf/systemd.service b/conf/systemd.service
index 7c6d01c..83db3c9 100644
--- a/conf/systemd.service
+++ b/conf/systemd.service
@@ -1,5 +1,5 @@
 [Unit]
-Description=OS.js: web-desktop. 
+Description=OS.js: web-desktop.
 After=network.target
 
 [Service]
@@ -33,7 +33,8 @@ ProtectKernelModules=yes
 ProtectKernelTunables=yes
 LockPersonality=yes
 SystemCallArchitectures=native
-SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation
+# @privileged
 
 # Denying access to capabilities that should not be relevant for webapps
 # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html