shaba/systemd-stable
1
1
Fork 0
mirror of https://github.com/systemd/systemd-stable.git synced 2025-03-12 08:58:20 +03:00
Code

portable: add SystemCallFilter=@system-service to the three main portable service profiles

Browse Source 
… but leave the "trusted" profile unmodified, it shall have full access
to all system calls, as before.
This commit is contained in:
Lennart Poettering 2018-06-07 17:47:53 +02:00
parent ee8f26180d
commit 6f659e5075
3 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/portable/profile/default/service.conf
View File

@ -27,4 +27,6 @@ LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictNamespaces=yes
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native

2
src/portable/profile/nonetwork/service.conf
View File

@ -25,6 +25,8 @@ LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictNamespaces=yes
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native
PrivateNetwork=yes
IPAddressDeny=any

2
src/portable/profile/strict/service.conf
View File

@ -23,6 +23,8 @@ NoNewPrivileges=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictNamespaces=yes
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native
PrivateNetwork=yes
IPAddressDeny=any