Do not filter syscalls in systemd init
Since we don't write the applications we use, this is liable to break pretty easily for new/older versions than tested on. The other protections should be sufficient.
This commit is contained in:
parent
d938354148
commit
7367a8fc4b
|
@ -7,16 +7,6 @@ Restart=always
|
|||
RestartSec=0
|
||||
Environment=DISPLAY=:0
|
||||
|
||||
SystemCallFilter=@basic-io @default @io-event @ipc @network-io @process \
|
||||
brk fadvise64 getegid geteuid getgid getgroups getpgrp \
|
||||
getpid getppid getrlimit getuid ioctl mprotect rt_sigaction \
|
||||
rt_sigprocmask setitimer setsid sysinfo umask uname wait4
|
||||
|
||||
# @file-system will handle this once v233 is released, see
|
||||
# http://bit.ly/2l1r8Ah for more details.
|
||||
SystemCallFilter=access chdir close faccessat fcntl fstat getcwd mkdir mmap \
|
||||
munmap open stat statfs unlink
|
||||
|
||||
MemoryDenyWriteExecute=yes
|
||||
NoNewPrivileges=yes
|
||||
ProtectControlGroups=yes
|
||||
|
|
Loading…
Reference in a new issue