units: add a basic SystemCallFilter (#3471)

Add a line
SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
for daemons shipped by systemd. As an exception, systemd-timesyncd
needs @clock system calls and systemd-localed is not privileged.
ptrace(2) is blocked to prevent seccomp escapes.

units/systemd-hostnamed.service.in

@@ -21,3 +21,4 @@ PrivateNetwork=yes
 ProtectSystem=yes
 ProtectHome=yes
 MemoryDenyWriteExecute=yes
+SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace

units/systemd-importd.service.in

@@ -18,3 +18,4 @@ NoNewPrivileges=yes
 WatchdogSec=3min
 KillMode=mixed
 MemoryDenyWriteExecute=yes
+SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace

units/systemd-journald.service.in

@@ -25,6 +25,7 @@ CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG C
 WatchdogSec=3min
 FileDescriptorStoreMax=1024
 MemoryDenyWriteExecute=yes
+SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
 
 # Increase the default a bit in order to allow many simultaneous
 # services being run since we keep one fd open per service. Also, when

units/systemd-localed.service.in

@@ -21,3 +21,4 @@ PrivateNetwork=yes
 ProtectSystem=yes
 ProtectHome=yes
 MemoryDenyWriteExecute=yes
+SystemCallFilter=~@clock @module @mount @obsolete @privileged @raw-io ptrace

units/systemd-logind.service.in

@@ -26,6 +26,7 @@ BusName=org.freedesktop.login1
 CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG
 WatchdogSec=3min
 MemoryDenyWriteExecute=yes
+SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
 
 # Increase the default a bit in order to allow many simultaneous
 # logins since we keep one fd open per session.

units/systemd-machined.service.in

@@ -18,6 +18,7 @@ BusName=org.freedesktop.machine1
 CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD
 WatchdogSec=3min
 MemoryDenyWriteExecute=yes
+SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
 
 # Note that machined cannot be placed in a mount namespace, since it
 # needs access to the host's mount namespace in order to implement the

units/systemd-networkd.service.m4.in

@@ -32,6 +32,7 @@ ProtectSystem=full
 ProtectHome=yes
 WatchdogSec=3min
 MemoryDenyWriteExecute=yes
+SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
 
 [Install]
 WantedBy=multi-user.target

units/systemd-resolved.service.m4.in

@@ -28,6 +28,7 @@ ProtectSystem=full
 ProtectHome=yes
 WatchdogSec=3min
 MemoryDenyWriteExecute=yes
+SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
 
 [Install]
 WantedBy=multi-user.target

units/systemd-timedated.service.in

@@ -19,3 +19,4 @@ PrivateTmp=yes
 ProtectSystem=yes
 ProtectHome=yes
 MemoryDenyWriteExecute=yes
+SystemCallFilter=~@module @mount @obsolete @raw-io ptrace

units/systemd-timesyncd.service.in

@@ -29,6 +29,7 @@ ProtectSystem=full
 ProtectHome=yes
 WatchdogSec=3min
 MemoryDenyWriteExecute=yes
+SystemCallFilter=~@module @mount @obsolete @raw-io ptrace
 
 [Install]
 WantedBy=sysinit.target