nixos/gns3-server: disable SystemD hardening

nixos/modules/services/networking/gns3-server.nix

@@ -210,6 +210,8 @@ in {
 
       reloadTriggers = [ configFile ];
 
+      # SystemD sandboxing does not work with GNS3.
+      # GNS3 needs to run SUID binaries (ubridge), but NoNewPrivileges breaks execution of SUID binaries
       serviceConfig = {
         ConfigurationDirectory = "gns3";
         ConfigurationDirectoryMode = "0750";
@@ -232,37 +234,6 @@ in {
           ++ lib.optional cfg.ubridge.enable "ubridge";
         User = "gns3";
         WorkingDirectory = "%S/gns3";
-
-        # Hardening
-        DeviceAllow = lib.optional flags.enableLibvirtd "/dev/kvm";
-        DevicePolicy = "closed";
-        LockPersonality = true;
-        MemoryDenyWriteExecute = true;
-        NoNewPrivileges = true;
-        PrivateTmp = true;
-        PrivateUsers = true;
-        # Don't restrict ProcSubset because python3Packages.psutil requires read access to /proc/stat
-        # ProcSubset = "pid";
-        ProtectClock = true;
-        ProtectControlGroups = true;
-        ProtectHome = true;
-        ProtectHostname = true;
-        ProtectKernelLogs = true;
-        ProtectKernelModules = true;
-        ProtectKernelTunables = true;
-        ProtectProc = "invisible";
-        ProtectSystem = "strict";
-        RestrictAddressFamilies = [
-          "AF_INET"
-          "AF_INET6"
-          "AF_NETLINK"
-          "AF_UNIX"
-          "AF_PACKET"
-        ];
-        RestrictNamespaces = true;
-        RestrictRealtime = true;
-        RestrictSUIDSGID = true;
-        UMask = "0077";
       };
     };
   };