portable: add SystemCallFilter=@system-service to the three main portable service...

… but leave the "trusted" profile unmodified, it shall have full access
to all system calls, as before.

diff --git a/src/portable/profile/default/service.conf b/src/portable/profile/default/service.conf
index 993d3516387043f2a6c49fd12b8bb76003bbac48..792be50229e5b9241293be5fcb481dc72f5f1c6b 100644 (file)
--- a/src/portable/profile/default/service.conf
+++ b/src/portable/profile/default/service.conf
@@ -27,4 +27,6 @@ LockPersonality=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native

diff --git a/src/portable/profile/nonetwork/service.conf b/src/portable/profile/nonetwork/service.conf
index 0d9c5a38d888aca1b191f49c4c5cd549ad0f9904..c81cebe03f25fbd9c9a953adeab68252e9a6d3ab 100644 (file)
--- a/src/portable/profile/nonetwork/service.conf
+++ b/src/portable/profile/nonetwork/service.conf
@@ -25,6 +25,8 @@ LockPersonality=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native
 PrivateNetwork=yes
 IPAddressDeny=any

diff --git a/src/portable/profile/strict/service.conf b/src/portable/profile/strict/service.conf
index d12620fc99c61dd9cff8ab53d9c0aee6d5699c65..d10fb5a1e8c30b5f4ce44080f2a00d0e5d761abd 100644 (file)
--- a/src/portable/profile/strict/service.conf
+++ b/src/portable/profile/strict/service.conf
@@ -23,6 +23,8 @@ NoNewPrivileges=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native
 PrivateNetwork=yes
 IPAddressDeny=any