Skip to content

Commit

Permalink
portable: add SystemCallFilter=@System-service to the three main port…
Browse files Browse the repository at this point in the history 
…able service profiles

… but leave the "trusted" profile unmodified, it shall have full access
to all system calls, as before.
  • Loading branch information
@poettering
poettering committed Jun 14, 2018
1 parent ee8f261 commit 6f659e5
Show file tree
Hide file tree
Showing 3 changed files with 6 additions and 0 deletions.
2 changes: 2 additions & 0 deletions src/portable/profile/default/service.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,4 +27,6 @@ LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictNamespaces=yes
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native
2 changes: 2 additions & 0 deletions src/portable/profile/nonetwork/service.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@ LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictNamespaces=yes
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native
PrivateNetwork=yes
IPAddressDeny=any
2 changes: 2 additions & 0 deletions src/portable/profile/strict/service.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ NoNewPrivileges=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictNamespaces=yes
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native
PrivateNetwork=yes
IPAddressDeny=any
Expand Down

0 comments on commit 6f659e5

Please sign in to comment.