units: tighten system call filters a bit

Take away kernel keyring access, CPU emulation system calls and various debug
system calls from the various daemons we have.

units/systemd-hostnamed.service.in

@@ -21,4 +21,4 @@ PrivateNetwork=yes
 ProtectSystem=yes
 ProtectHome=yes
 MemoryDenyWriteExecute=yes
-SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io

units/systemd-importd.service.in

@@ -18,4 +18,4 @@ NoNewPrivileges=yes
 WatchdogSec=3min
 KillMode=mixed
 MemoryDenyWriteExecute=yes
-SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io

units/systemd-journald.service.in

@@ -25,7 +25,7 @@ CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG C
 WatchdogSec=3min
 FileDescriptorStoreMax=1024
 MemoryDenyWriteExecute=yes
-SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
 
 # Increase the default a bit in order to allow many simultaneous
 # services being run since we keep one fd open per service. Also, when

units/systemd-localed.service.in

@@ -21,4 +21,4 @@ PrivateNetwork=yes
 ProtectSystem=yes
 ProtectHome=yes
 MemoryDenyWriteExecute=yes
-SystemCallFilter=~@clock @module @mount @obsolete @privileged @raw-io ptrace
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io

units/systemd-logind.service.in

@@ -26,7 +26,7 @@ BusName=org.freedesktop.login1
 CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG
 WatchdogSec=3min
 MemoryDenyWriteExecute=yes
-SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io
 
 # Increase the default a bit in order to allow many simultaneous
 # logins since we keep one fd open per session.

units/systemd-machined.service.in

@@ -18,7 +18,7 @@ BusName=org.freedesktop.machine1
 CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD
 WatchdogSec=3min
 MemoryDenyWriteExecute=yes
-SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
 
 # Note that machined cannot be placed in a mount namespace, since it
 # needs access to the host's mount namespace in order to implement the

units/systemd-networkd.service.m4.in

@@ -32,7 +32,7 @@ ProtectSystem=full
 ProtectHome=yes
 WatchdogSec=3min
 MemoryDenyWriteExecute=yes
-SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
 
 [Install]
 WantedBy=multi-user.target

units/systemd-resolved.service.m4.in

@@ -28,7 +28,7 @@ ProtectSystem=full
 ProtectHome=yes
 WatchdogSec=3min
 MemoryDenyWriteExecute=yes
-SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
 
 [Install]
 WantedBy=multi-user.target

units/systemd-timedated.service.in

@@ -19,4 +19,4 @@ PrivateTmp=yes
 ProtectSystem=yes
 ProtectHome=yes
 MemoryDenyWriteExecute=yes
-SystemCallFilter=~@module @mount @obsolete @raw-io ptrace
+SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io

units/systemd-timesyncd.service.in

@@ -29,7 +29,7 @@ ProtectSystem=full
 ProtectHome=yes
 WatchdogSec=3min
 MemoryDenyWriteExecute=yes
-SystemCallFilter=~@module @mount @obsolete @raw-io ptrace
+SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
 
 [Install]
 WantedBy=sysinit.target