From be3fb4a68f6c0b4e0fccc15902ea6fc5ac4161f2 Mon Sep 17 00:00:00 2001
From: root <root@rbx1.julio.al>
Date: Sun, 26 Apr 2026 05:19:29 +0000
Subject: [PATCH] systemd: drop @resources from SystemCallFilter blocklist
 (nginx workers need prlimit64); set SystemCallErrorNumber=EPERM

---
 static/Raccoon/nginx.service | 3 ++-
 static/Trixie/nginx.service  | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/static/Raccoon/nginx.service b/static/Raccoon/nginx.service
index 7708182..bd24fe1 100644
--- a/static/Raccoon/nginx.service
+++ b/static/Raccoon/nginx.service
@@ -41,7 +41,8 @@ RestrictSUIDSGID=true
 LockPersonality=true
 SystemCallArchitectures=native
 SystemCallFilter=@system-service
-SystemCallFilter=~@privileged @resources @mount @debug @cpu-emulation @obsolete @raw-io @reboot @swap
+SystemCallFilter=~@privileged @mount @debug @cpu-emulation @obsolete @raw-io @reboot @swap
+SystemCallErrorNumber=EPERM
 
 # Paths nginx legitimately writes to. ProtectSystem=strict makes everything
 # else read-only; these carve out the exceptions.
diff --git a/static/Trixie/nginx.service b/static/Trixie/nginx.service
index 7708182..bd24fe1 100644
--- a/static/Trixie/nginx.service
+++ b/static/Trixie/nginx.service
@@ -41,7 +41,8 @@ RestrictSUIDSGID=true
 LockPersonality=true
 SystemCallArchitectures=native
 SystemCallFilter=@system-service
-SystemCallFilter=~@privileged @resources @mount @debug @cpu-emulation @obsolete @raw-io @reboot @swap
+SystemCallFilter=~@privileged @mount @debug @cpu-emulation @obsolete @raw-io @reboot @swap
+SystemCallErrorNumber=EPERM
 
 # Paths nginx legitimately writes to. ProtectSystem=strict makes everything
 # else read-only; these carve out the exceptions.