picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

units: add SystemCallErrorNumber=EPERM to systemd-portabled.service 

We use that on all other services, and hence should here too. Otherwise
the service will be killed with SIGSYS when doing something not
whitelisted, which is a bit crass.
This commit is contained in:
Lennart Poettering 2019-07-07 17:28:57 +02:00 committed by Yu Watanabe
parent 24e4b4a199
commit ba2fb17d8b
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
units/systemd-portabled.service.in
View File

@ -22,6 +22,7 @@ ProtectHostname=yes
RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
SystemCallFilter=@system-service @mount
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native
LockPersonality=yes
IPAddressDeny=any