units: set SystemCallArchitectures=native on all our long-running services
This commit is contained in:
parent
357e1b17b9
commit
7f396e5f66
|
@ -16,3 +16,4 @@ ConditionPathExists=!/run/plymouth/pid
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
ExecStart=@rootbindir@/systemd-tty-ask-password-agent --watch --console
|
ExecStart=@rootbindir@/systemd-tty-ask-password-agent --watch --console
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
|
|
@ -13,3 +13,4 @@ After=systemd-user-sessions.service
|
||||||
[Service]
|
[Service]
|
||||||
ExecStartPre=-@SYSTEMCTL@ stop systemd-ask-password-console.path systemd-ask-password-console.service systemd-ask-password-plymouth.path systemd-ask-password-plymouth.service
|
ExecStartPre=-@SYSTEMCTL@ stop systemd-ask-password-console.path systemd-ask-password-console.service systemd-ask-password-plymouth.path systemd-ask-password-plymouth.service
|
||||||
ExecStart=@rootbindir@/systemd-tty-ask-password-agent --wall
|
ExecStart=@rootbindir@/systemd-tty-ask-password-agent --wall
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
|
|
@ -22,3 +22,4 @@ OOMScoreAdjust=500
|
||||||
PrivateNetwork=yes
|
PrivateNetwork=yes
|
||||||
ProtectSystem=full
|
ProtectSystem=full
|
||||||
RuntimeMaxSec=5min
|
RuntimeMaxSec=5min
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
|
|
@ -26,3 +26,4 @@ MemoryDenyWriteExecute=yes
|
||||||
RestrictRealtime=yes
|
RestrictRealtime=yes
|
||||||
RestrictAddressFamilies=AF_UNIX
|
RestrictAddressFamilies=AF_UNIX
|
||||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
|
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
|
|
@ -21,3 +21,4 @@ MemoryDenyWriteExecute=yes
|
||||||
RestrictRealtime=yes
|
RestrictRealtime=yes
|
||||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io
|
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
|
|
@ -11,5 +11,6 @@ Documentation=man:systemd-initctl.service(8)
|
||||||
DefaultDependencies=no
|
DefaultDependencies=no
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
ExecStart=@rootlibexecdir@/systemd-initctl
|
|
||||||
NotifyAccess=all
|
NotifyAccess=all
|
||||||
|
ExecStart=@rootlibexecdir@/systemd-initctl
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
|
|
@ -25,6 +25,7 @@ ProtectKernelTunables=yes
|
||||||
MemoryDenyWriteExecute=yes
|
MemoryDenyWriteExecute=yes
|
||||||
RestrictRealtime=yes
|
RestrictRealtime=yes
|
||||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
|
||||||
# If there are many split upjournal files we need a lot of fds to
|
# If there are many split upjournal files we need a lot of fds to
|
||||||
# access them all and combine
|
# access them all and combine
|
||||||
|
|
|
@ -25,6 +25,7 @@ ProtectKernelTunables=yes
|
||||||
MemoryDenyWriteExecute=yes
|
MemoryDenyWriteExecute=yes
|
||||||
RestrictRealtime=yes
|
RestrictRealtime=yes
|
||||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
Also=systemd-journal-remote.socket
|
Also=systemd-journal-remote.socket
|
||||||
|
|
|
@ -25,6 +25,7 @@ ProtectKernelTunables=yes
|
||||||
MemoryDenyWriteExecute=yes
|
MemoryDenyWriteExecute=yes
|
||||||
RestrictRealtime=yes
|
RestrictRealtime=yes
|
||||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
|
||||||
# If there are many split up journal files we need a lot of fds to
|
# If there are many split up journal files we need a lot of fds to
|
||||||
# access them all and combine
|
# access them all and combine
|
||||||
|
|
|
@ -28,6 +28,7 @@ MemoryDenyWriteExecute=yes
|
||||||
RestrictRealtime=yes
|
RestrictRealtime=yes
|
||||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK
|
RestrictAddressFamilies=AF_UNIX AF_NETLINK
|
||||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
|
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
|
||||||
# Increase the default a bit in order to allow many simultaneous
|
# Increase the default a bit in order to allow many simultaneous
|
||||||
# services being run since we keep one fd open per service. Also, when
|
# services being run since we keep one fd open per service. Also, when
|
||||||
|
|
|
@ -26,3 +26,4 @@ MemoryDenyWriteExecute=yes
|
||||||
RestrictRealtime=yes
|
RestrictRealtime=yes
|
||||||
RestrictAddressFamilies=AF_UNIX
|
RestrictAddressFamilies=AF_UNIX
|
||||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
|
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
|
|
@ -29,6 +29,7 @@ MemoryDenyWriteExecute=yes
|
||||||
RestrictRealtime=yes
|
RestrictRealtime=yes
|
||||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
||||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io
|
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
|
||||||
# Increase the default a bit in order to allow many simultaneous
|
# Increase the default a bit in order to allow many simultaneous
|
||||||
# logins since we keep one fd open per session.
|
# logins since we keep one fd open per session.
|
||||||
|
|
|
@ -21,6 +21,7 @@ MemoryDenyWriteExecute=yes
|
||||||
RestrictRealtime=yes
|
RestrictRealtime=yes
|
||||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
||||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io
|
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
|
||||||
# Note that machined cannot be placed in a mount namespace, since it
|
# Note that machined cannot be placed in a mount namespace, since it
|
||||||
# needs access to the host's mount namespace in order to implement the
|
# needs access to the host's mount namespace in order to implement the
|
||||||
|
|
|
@ -35,6 +35,7 @@ MemoryDenyWriteExecute=yes
|
||||||
RestrictRealtime=yes
|
RestrictRealtime=yes
|
||||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
|
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
|
||||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
|
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
|
|
@ -35,6 +35,7 @@ MemoryDenyWriteExecute=yes
|
||||||
RestrictRealtime=yes
|
RestrictRealtime=yes
|
||||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
||||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
|
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
|
|
@ -24,3 +24,4 @@ MemoryDenyWriteExecute=yes
|
||||||
RestrictRealtime=yes
|
RestrictRealtime=yes
|
||||||
RestrictAddressFamilies=AF_UNIX
|
RestrictAddressFamilies=AF_UNIX
|
||||||
SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
|
SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
|
|
@ -34,6 +34,7 @@ MemoryDenyWriteExecute=yes
|
||||||
RestrictRealtime=yes
|
RestrictRealtime=yes
|
||||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||||
SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
|
SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=sysinit.target
|
WantedBy=sysinit.target
|
||||||
|
|
|
@ -28,3 +28,4 @@ MountFlags=slave
|
||||||
MemoryDenyWriteExecute=yes
|
MemoryDenyWriteExecute=yes
|
||||||
RestrictRealtime=yes
|
RestrictRealtime=yes
|
||||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
|
Loading…
Reference in New Issue