Do not filter syscalls in systemd init
Since we don't write the applications we use, this is liable to break pretty easily for new/older versions than tested on. The other protections should be sufficient.
This commit is contained in:
parent
d938354148
commit
7367a8fc4b
|
@ -7,16 +7,6 @@ Restart=always
|
||||||
RestartSec=0
|
RestartSec=0
|
||||||
Environment=DISPLAY=:0
|
Environment=DISPLAY=:0
|
||||||
|
|
||||||
SystemCallFilter=@basic-io @default @io-event @ipc @network-io @process \
|
|
||||||
brk fadvise64 getegid geteuid getgid getgroups getpgrp \
|
|
||||||
getpid getppid getrlimit getuid ioctl mprotect rt_sigaction \
|
|
||||||
rt_sigprocmask setitimer setsid sysinfo umask uname wait4
|
|
||||||
|
|
||||||
# @file-system will handle this once v233 is released, see
|
|
||||||
# http://bit.ly/2l1r8Ah for more details.
|
|
||||||
SystemCallFilter=access chdir close faccessat fcntl fstat getcwd mkdir mmap \
|
|
||||||
munmap open stat statfs unlink
|
|
||||||
|
|
||||||
MemoryDenyWriteExecute=yes
|
MemoryDenyWriteExecute=yes
|
||||||
NoNewPrivileges=yes
|
NoNewPrivileges=yes
|
||||||
ProtectControlGroups=yes
|
ProtectControlGroups=yes
|
||||||
|
|
Loading…
Reference in a new issue