mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-12-22 13:33:56 +03:00
units: set SystemCallArchitectures=native on all our long-running services
This commit is contained in:
parent
357e1b17b9
commit
7f396e5f66
@ -16,3 +16,4 @@ ConditionPathExists=!/run/plymouth/pid
|
||||
|
||||
[Service]
|
||||
ExecStart=@rootbindir@/systemd-tty-ask-password-agent --watch --console
|
||||
SystemCallArchitectures=native
|
||||
|
@ -13,3 +13,4 @@ After=systemd-user-sessions.service
|
||||
[Service]
|
||||
ExecStartPre=-@SYSTEMCTL@ stop systemd-ask-password-console.path systemd-ask-password-console.service systemd-ask-password-plymouth.path systemd-ask-password-plymouth.service
|
||||
ExecStart=@rootbindir@/systemd-tty-ask-password-agent --wall
|
||||
SystemCallArchitectures=native
|
||||
|
@ -22,3 +22,4 @@ OOMScoreAdjust=500
|
||||
PrivateNetwork=yes
|
||||
ProtectSystem=full
|
||||
RuntimeMaxSec=5min
|
||||
SystemCallArchitectures=native
|
||||
|
@ -26,3 +26,4 @@ MemoryDenyWriteExecute=yes
|
||||
RestrictRealtime=yes
|
||||
RestrictAddressFamilies=AF_UNIX
|
||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
|
||||
SystemCallArchitectures=native
|
||||
|
@ -21,3 +21,4 @@ MemoryDenyWriteExecute=yes
|
||||
RestrictRealtime=yes
|
||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io
|
||||
SystemCallArchitectures=native
|
||||
|
@ -11,5 +11,6 @@ Documentation=man:systemd-initctl.service(8)
|
||||
DefaultDependencies=no
|
||||
|
||||
[Service]
|
||||
ExecStart=@rootlibexecdir@/systemd-initctl
|
||||
NotifyAccess=all
|
||||
ExecStart=@rootlibexecdir@/systemd-initctl
|
||||
SystemCallArchitectures=native
|
||||
|
@ -25,6 +25,7 @@ ProtectKernelTunables=yes
|
||||
MemoryDenyWriteExecute=yes
|
||||
RestrictRealtime=yes
|
||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||
SystemCallArchitectures=native
|
||||
|
||||
# If there are many split upjournal files we need a lot of fds to
|
||||
# access them all and combine
|
||||
|
@ -25,6 +25,7 @@ ProtectKernelTunables=yes
|
||||
MemoryDenyWriteExecute=yes
|
||||
RestrictRealtime=yes
|
||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||
SystemCallArchitectures=native
|
||||
|
||||
[Install]
|
||||
Also=systemd-journal-remote.socket
|
||||
|
@ -25,6 +25,7 @@ ProtectKernelTunables=yes
|
||||
MemoryDenyWriteExecute=yes
|
||||
RestrictRealtime=yes
|
||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||
SystemCallArchitectures=native
|
||||
|
||||
# If there are many split up journal files we need a lot of fds to
|
||||
# access them all and combine
|
||||
|
@ -28,6 +28,7 @@ MemoryDenyWriteExecute=yes
|
||||
RestrictRealtime=yes
|
||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK
|
||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
|
||||
SystemCallArchitectures=native
|
||||
|
||||
# Increase the default a bit in order to allow many simultaneous
|
||||
# services being run since we keep one fd open per service. Also, when
|
||||
|
@ -26,3 +26,4 @@ MemoryDenyWriteExecute=yes
|
||||
RestrictRealtime=yes
|
||||
RestrictAddressFamilies=AF_UNIX
|
||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
|
||||
SystemCallArchitectures=native
|
||||
|
@ -29,6 +29,7 @@ MemoryDenyWriteExecute=yes
|
||||
RestrictRealtime=yes
|
||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io
|
||||
SystemCallArchitectures=native
|
||||
|
||||
# Increase the default a bit in order to allow many simultaneous
|
||||
# logins since we keep one fd open per session.
|
||||
|
@ -21,6 +21,7 @@ MemoryDenyWriteExecute=yes
|
||||
RestrictRealtime=yes
|
||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io
|
||||
SystemCallArchitectures=native
|
||||
|
||||
# Note that machined cannot be placed in a mount namespace, since it
|
||||
# needs access to the host's mount namespace in order to implement the
|
||||
|
@ -35,6 +35,7 @@ MemoryDenyWriteExecute=yes
|
||||
RestrictRealtime=yes
|
||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
|
||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
|
||||
SystemCallArchitectures=native
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
@ -35,6 +35,7 @@ MemoryDenyWriteExecute=yes
|
||||
RestrictRealtime=yes
|
||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
|
||||
SystemCallArchitectures=native
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
@ -24,3 +24,4 @@ MemoryDenyWriteExecute=yes
|
||||
RestrictRealtime=yes
|
||||
RestrictAddressFamilies=AF_UNIX
|
||||
SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
|
||||
SystemCallArchitectures=native
|
||||
|
@ -34,6 +34,7 @@ MemoryDenyWriteExecute=yes
|
||||
RestrictRealtime=yes
|
||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||
SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
|
||||
SystemCallArchitectures=native
|
||||
|
||||
[Install]
|
||||
WantedBy=sysinit.target
|
||||
|
@ -28,3 +28,4 @@ MountFlags=slave
|
||||
MemoryDenyWriteExecute=yes
|
||||
RestrictRealtime=yes
|
||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
||||
SystemCallArchitectures=native
|
||||
|
Loading…
Reference in New Issue
Block a user