diff --git a/static/Raccoon/nginx.service b/static/Raccoon/nginx.service
index 7708182..bd24fe1 100644
--- a/static/Raccoon/nginx.service
+++ b/static/Raccoon/nginx.service
@@ -41,7 +41,8 @@ RestrictSUIDSGID=true
 LockPersonality=true
 SystemCallArchitectures=native
 SystemCallFilter=@system-service
-SystemCallFilter=~@privileged @resources @mount @debug @cpu-emulation @obsolete @raw-io @reboot @swap
+SystemCallFilter=~@privileged @mount @debug @cpu-emulation @obsolete @raw-io @reboot @swap
+SystemCallErrorNumber=EPERM
 
 # Paths nginx legitimately writes to. ProtectSystem=strict makes everything
 # else read-only; these carve out the exceptions.
diff --git a/static/Trixie/nginx.service b/static/Trixie/nginx.service
index 7708182..bd24fe1 100644
--- a/static/Trixie/nginx.service
+++ b/static/Trixie/nginx.service
@@ -41,7 +41,8 @@ RestrictSUIDSGID=true
 LockPersonality=true
 SystemCallArchitectures=native
 SystemCallFilter=@system-service
-SystemCallFilter=~@privileged @resources @mount @debug @cpu-emulation @obsolete @raw-io @reboot @swap
+SystemCallFilter=~@privileged @mount @debug @cpu-emulation @obsolete @raw-io @reboot @swap
+SystemCallErrorNumber=EPERM
 
 # Paths nginx legitimately writes to. ProtectSystem=strict makes everything
 # else read-only; these carve out the exceptions.