From bfbe2da85097448e900aa2904beb3517964cb603 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kier=C3=A1n=20Meinhardt?= <kmein@posteo.de>
Date: Tue, 17 Feb 2026 20:21:24 +0100
Subject: [PATCH] openclaw: soften the hardening

---
 systems/ful/openclaw.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/systems/ful/openclaw.nix b/systems/ful/openclaw.nix
index 8757f4e..af92de4 100644
--- a/systems/ful/openclaw.nix
+++ b/systems/ful/openclaw.nix
@@ -43,11 +43,11 @@
       ProtectClock = true;
       ProtectControlGroups = true;
       ProtectHostname = true;
-      ProtectProc = "invisible";
       ProcSubset = "pid";
       RemoveIPC = true;
+      AmbientCapabilities = ["CAP_NET_RAW"]; # access chromium websockets
       RestrictSUIDSGID = true;
-      RestrictNamespaces = true;
+      RestrictNamespaces = false; # might be used by websocket library
       RestrictRealtime = true;
       LockPersonality = true;
       UMask = "0077";