]> git.ipfire.org Git - thirdparty/systemd.git/blobdiff - units/systemd-machined.service.in
projects / thirdparty / systemd.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
units: add a basic SystemCallFilter (#3471)
[thirdparty/systemd.git] / units / systemd-machined.service.in
diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
index 1517068ecdf55c060c332fe2ece44cc44b377abd..82dca0533829bc82646b0431a4b0291e6c64ac6d 100644 (file)
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -18,6 +18,7 @@ BusName=org.freedesktop.machine1
 CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD
 WatchdogSec=3min
 MemoryDenyWriteExecute=yes
+SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
 
 # Note that machined cannot be placed in a mount namespace, since it
 # needs access to the host's mount namespace in order to implement the
Unnamed repository; edit this file 'description' to name the repository.