From: Tim Duesterhus <tim@bastelstu.be>
Date: Tue, 27 Feb 2018 19:19:05 +0000 (+0100)
Subject: MINOR: systemd: Add SystemD's SystemCallFilter option to the unit file
X-Git-Tag: v1.9-dev1~392
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2788a39c07621e7af0d2efa34b4adabe8a01ad31;p=thirdparty%2Fhaproxy.git

MINOR: systemd: Add SystemD's SystemCallFilter option to the unit file

This option takes away system calls that are unneeded for haproxy's
operation and thus is a good defense in depth measure.
---

diff --git a/contrib/systemd/haproxy.service.in b/contrib/systemd/haproxy.service.in
index 846bcc77f5..7a8b6bead2 100644
--- a/contrib/systemd/haproxy.service.in
+++ b/contrib/systemd/haproxy.service.in
@@ -27,6 +27,8 @@ Type=notify
 # ProtectKernelTunables=true
 # ProtectKernelModules=true
 # ProtectControlGroups=true
+# If your SystemD version supports them, you can add: @reboot, @swap, @sync
+# SystemCallFilter=~@cpu-emulation @keyring @module @obsolete @raw-io
 
 [Install]
 WantedBy=multi-user.target