units: set SystemCallArchitectures=native on all our long-running services

units/systemd-ask-password-console.service.in

@@ -16,3 +16,4 @@ ConditionPathExists=!/run/plymouth/pid
 
 [Service]
 ExecStart=@rootbindir@/systemd-tty-ask-password-agent --watch --console
+SystemCallArchitectures=native

units/systemd-ask-password-wall.service.in

@@ -13,3 +13,4 @@ After=systemd-user-sessions.service
 [Service]
 ExecStartPre=-@SYSTEMCTL@ stop systemd-ask-password-console.path systemd-ask-password-console.service systemd-ask-password-plymouth.path systemd-ask-password-plymouth.service
 ExecStart=@rootbindir@/systemd-tty-ask-password-agent --wall
+SystemCallArchitectures=native

units/systemd-coredump@.service.in

@@ -22,3 +22,4 @@ OOMScoreAdjust=500
 PrivateNetwork=yes
 ProtectSystem=full
 RuntimeMaxSec=5min
+SystemCallArchitectures=native

units/systemd-hostnamed.service.in

@@ -26,3 +26,4 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
+SystemCallArchitectures=native

units/systemd-importd.service.in

@@ -21,3 +21,4 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io
+SystemCallArchitectures=native

units/systemd-initctl.service.in

@@ -11,5 +11,6 @@ Documentation=man:systemd-initctl.service(8)
 DefaultDependencies=no
 
 [Service]
-ExecStart=@rootlibexecdir@/systemd-initctl
 NotifyAccess=all
+ExecStart=@rootlibexecdir@/systemd-initctl
+SystemCallArchitectures=native

units/systemd-journal-gatewayd.service.in

@@ -25,6 +25,7 @@ ProtectKernelTunables=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+SystemCallArchitectures=native
 
 # If there are many split upjournal files we need a lot of fds to
 # access them all and combine

units/systemd-journal-remote.service.in

@@ -25,6 +25,7 @@ ProtectKernelTunables=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+SystemCallArchitectures=native
 
 [Install]
 Also=systemd-journal-remote.socket

units/systemd-journal-upload.service.in

@@ -25,6 +25,7 @@ ProtectKernelTunables=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+SystemCallArchitectures=native
 
 # If there are many split up journal files we need a lot of fds to
 # access them all and combine

units/systemd-journald.service.in

@@ -28,6 +28,7 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
+SystemCallArchitectures=native
 
 # Increase the default a bit in order to allow many simultaneous
 # services being run since we keep one fd open per service. Also, when

units/systemd-localed.service.in

@@ -26,3 +26,4 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
+SystemCallArchitectures=native

units/systemd-logind.service.in

@@ -29,6 +29,7 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io
+SystemCallArchitectures=native
 
 # Increase the default a bit in order to allow many simultaneous
 # logins since we keep one fd open per session.

units/systemd-machined.service.in

@@ -21,6 +21,7 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io
+SystemCallArchitectures=native
 
 # Note that machined cannot be placed in a mount namespace, since it
 # needs access to the host's mount namespace in order to implement the

units/systemd-networkd.service.m4.in

@@ -35,6 +35,7 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
+SystemCallArchitectures=native
 
 [Install]
 WantedBy=multi-user.target

units/systemd-resolved.service.m4.in

@@ -35,6 +35,7 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
+SystemCallArchitectures=native
 
 [Install]
 WantedBy=multi-user.target

units/systemd-timedated.service.in

@@ -24,3 +24,4 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX
 SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
+SystemCallArchitectures=native

units/systemd-timesyncd.service.in

@@ -34,6 +34,7 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
+SystemCallArchitectures=native
 
 [Install]
 WantedBy=sysinit.target

units/systemd-udevd.service.in

@@ -28,3 +28,4 @@ MountFlags=slave
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
+SystemCallArchitectures=native