units: set SystemCallArchitectures=native on all our long-running services

diff --git a/units/systemd-ask-password-console.service.in b/units/systemd-ask-password-console.service.in
index a24fa51903c8aee0b2d20ec4d95eaffd300aa432..adaa60da87f20118096f7cb23efc18c15d1fcf62 100644 (file)
--- a/units/systemd-ask-password-console.service.in
+++ b/units/systemd-ask-password-console.service.in
@@ -16,3 +16,4 @@ ConditionPathExists=!/run/plymouth/pid
 
 [Service]
 ExecStart=@rootbindir@/systemd-tty-ask-password-agent --watch --console
+SystemCallArchitectures=native

diff --git a/units/systemd-ask-password-wall.service.in b/units/systemd-ask-password-wall.service.in
index 0eaa274794471e1c425358f943c48cc7deaae31a..be380023a7f5059b731d03e93f5a713b48d3a4c4 100644 (file)
--- a/units/systemd-ask-password-wall.service.in
+++ b/units/systemd-ask-password-wall.service.in
@@ -13,3 +13,4 @@ After=systemd-user-sessions.service
 [Service]
 ExecStartPre=-@SYSTEMCTL@ stop systemd-ask-password-console.path systemd-ask-password-console.service systemd-ask-password-plymouth.path systemd-ask-password-plymouth.service
 ExecStart=@rootbindir@/systemd-tty-ask-password-agent --wall
+SystemCallArchitectures=native

diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
index 588c8d629c37527d8ae2d1cbe7acf7055f85a5ce..8ae296ff2bbf013509dfc0828b1de692f81ddccd 100644 (file)
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@@ -22,3 +22,4 @@ OOMScoreAdjust=500
 PrivateNetwork=yes
 ProtectSystem=full
 RuntimeMaxSec=5min
+SystemCallArchitectures=native

diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index edc5a1722ac1fea8b9d70e8b763b8a89c3dbca0b..89d942b072242f9f9a1313648b3dc71e1641c368 100644 (file)
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -26,3 +26,4 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
+SystemCallArchitectures=native

diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in
index ac27c2bcbabdc32ee3a7da1ae009a7d8727a0957..2a8a683d95f7fd0a59cc01caaf7b351e95fbc16f 100644 (file)
--- a/units/systemd-importd.service.in
+++ b/units/systemd-importd.service.in
@@ -21,3 +21,4 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io
+SystemCallArchitectures=native

diff --git a/units/systemd-initctl.service.in b/units/systemd-initctl.service.in
index 27e663c8dc4349669cc2ad2a6a6ccb0b59b0988b..5505309e9200a2b302f7420876e5c58d7e86d407 100644 (file)
--- a/units/systemd-initctl.service.in
+++ b/units/systemd-initctl.service.in
@@ -11,5 +11,6 @@ Documentation=man:systemd-initctl.service(8)
 DefaultDependencies=no
 
 [Service]
-ExecStart=@rootlibexecdir@/systemd-initctl
 NotifyAccess=all
+ExecStart=@rootlibexecdir@/systemd-initctl
+SystemCallArchitectures=native

diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in
index efefaa4244d8c0e7fb04866383a31b90725babbb..b0b934deb21918010f09cb1b37a7267e2e4e83c8 100644 (file)
--- a/units/systemd-journal-gatewayd.service.in
+++ b/units/systemd-journal-gatewayd.service.in
@@ -25,6 +25,7 @@ ProtectKernelTunables=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+SystemCallArchitectures=native
 
 # If there are many split upjournal files we need a lot of fds to
 # access them all and combine

diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in
index 753dd6c1588e3fac526c6e1a2dbe0ad7345fd416..bc384b83824f5b24fccf41f8b1974b06faa56487 100644 (file)
--- a/units/systemd-journal-remote.service.in
+++ b/units/systemd-journal-remote.service.in
@@ -25,6 +25,7 @@ ProtectKernelTunables=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+SystemCallArchitectures=native
 
 [Install]
 Also=systemd-journal-remote.socket

diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in
index d8fd24362029c98b8990fac527b2ab0fcfa3cec3..d28a62bb35eb97c1841631b5c004c1bace920ef9 100644 (file)
--- a/units/systemd-journal-upload.service.in
+++ b/units/systemd-journal-upload.service.in
@@ -25,6 +25,7 @@ ProtectKernelTunables=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+SystemCallArchitectures=native
 
 # If there are many split up journal files we need a lot of fds to
 # access them all and combine

diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index 712ce55483378680c43ae4f3bf9b752457189ef7..b2e7eeeda3fa0beb59f383236c2606ad98df1a77 100644 (file)
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -28,6 +28,7 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
+SystemCallArchitectures=native
 
 # Increase the default a bit in order to allow many simultaneous
 # services being run since we keep one fd open per service. Also, when

diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
index df829e11644f1a6025154a150cc47928238d8ac3..af2cdfffbeb901a8beac356b00d9f77004a464fb 100644 (file)
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -26,3 +26,4 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
+SystemCallArchitectures=native

diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index 0b6de35733039b9784f66fc6f365a70fd6329f3f..fcbfd1debeb62c1e9f2ca2b5b1bc4b317be32c99 100644 (file)
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -29,6 +29,7 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io
+SystemCallArchitectures=native
 
 # Increase the default a bit in order to allow many simultaneous
 # logins since we keep one fd open per session.

diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
index 911ead79eeac146a14ce7d48b8fb698a8c427342..3c46d04f64eab223816a29b2c76f0c286838e687 100644 (file)
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -21,6 +21,7 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io
+SystemCallArchitectures=native
 
 # Note that machined cannot be placed in a mount namespace, since it
 # needs access to the host's mount namespace in order to implement the

diff --git a/units/systemd-networkd.service.m4.in b/units/systemd-networkd.service.m4.in
index d1cf3fc133ddd191b222c78d8fe4bdc7a60f77e6..4596d31d0f474f850245d799856cc5e5c7302660 100644 (file)
--- a/units/systemd-networkd.service.m4.in
+++ b/units/systemd-networkd.service.m4.in
@@ -35,6 +35,7 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
+SystemCallArchitectures=native
 
 [Install]
 WantedBy=multi-user.target

diff --git a/units/systemd-resolved.service.m4.in b/units/systemd-resolved.service.m4.in
index 0f0440ddaf68c077b1a9a91e88f94438c065458a..dcacbdaeab200e2bc838d4746bb3338335b7072a 100644 (file)
--- a/units/systemd-resolved.service.m4.in
+++ b/units/systemd-resolved.service.m4.in
@@ -35,6 +35,7 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
+SystemCallArchitectures=native
 
 [Install]
 WantedBy=multi-user.target

diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index e8c4d5ed4ba5f5182ff6c0d0eedc715b63182b82..7608d9da28992836b15f6882b0f022c834389ce2 100644 (file)
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -24,3 +24,4 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX
 SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
+SystemCallArchitectures=native

diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index 9a6c6ea60ddab941c7ea86205a2103166cc79daf..46b81ebab3a722bf065e9718ebd7e41872bc3f52 100644 (file)
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -34,6 +34,7 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
+SystemCallArchitectures=native
 
 [Install]
 WantedBy=sysinit.target

diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
index 46d637883bdebf509f935d32e0cf69b071a7e019..fc037b5a5cd76d31adaf6bd267be9dfc4955b1da 100644 (file)
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@@ -28,3 +28,4 @@ MountFlags=slave
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
+SystemCallArchitectures=native