From 6f659e5075a5da1ffb1a3e30f38451a524cd7472 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 7 Jun 2018 17:47:53 +0200 Subject: [PATCH] portable: add SystemCallFilter=@system-service to the three main portable service profiles MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit … but leave the "trusted" profile unmodified, it shall have full access to all system calls, as before. --- src/portable/profile/default/service.conf | 2 ++ src/portable/profile/nonetwork/service.conf | 2 ++ src/portable/profile/strict/service.conf | 2 ++ 3 files changed, 6 insertions(+) diff --git a/src/portable/profile/default/service.conf b/src/portable/profile/default/service.conf index 993d351638..792be50229 100644 --- a/src/portable/profile/default/service.conf +++ b/src/portable/profile/default/service.conf @@ -27,4 +27,6 @@ LockPersonality=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes +SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM SystemCallArchitectures=native diff --git a/src/portable/profile/nonetwork/service.conf b/src/portable/profile/nonetwork/service.conf index 0d9c5a38d8..c81cebe03f 100644 --- a/src/portable/profile/nonetwork/service.conf +++ b/src/portable/profile/nonetwork/service.conf @@ -25,6 +25,8 @@ LockPersonality=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes +SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM SystemCallArchitectures=native PrivateNetwork=yes IPAddressDeny=any diff --git a/src/portable/profile/strict/service.conf b/src/portable/profile/strict/service.conf index d12620fc99..d10fb5a1e8 100644 --- a/src/portable/profile/strict/service.conf +++ b/src/portable/profile/strict/service.conf @@ -23,6 +23,8 @@ NoNewPrivileges=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes +SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM SystemCallArchitectures=native PrivateNetwork=yes IPAddressDeny=any -- 2.25.1