morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-15 00:47:10 +09:00
Code Issues Packages Projects Releases Wiki Activity

portable: add SystemCallFilter=@system-service to the three main portable service profiles

Browse Source 
… but leave the "trusted" profile unmodified, it shall have full access
to all system calls, as before.
This commit is contained in:
Lennart Poettering
2018-06-07 17:47:53 +02:00
parent ee8f26180d
commit 6f659e5075
3 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/portable/profile/default/service.conf
View File

@@ -27,4 +27,6 @@ LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictNamespaces=yes
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native

2
src/portable/profile/nonetwork/service.conf
View File

@@ -25,6 +25,8 @@ LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictNamespaces=yes
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native
PrivateNetwork=yes
IPAddressDeny=any

2
src/portable/profile/strict/service.conf
View File

@@ -23,6 +23,8 @@ NoNewPrivileges=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictNamespaces=yes
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native
PrivateNetwork=yes
IPAddressDeny=any