From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 7 Jun 2018 15:47:53 +0000 (+0200)
Subject: portable: add SystemCallFilter=@system-service to the three main portable service... 
X-Git-Tag: v239~48^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6f659e5075a5da1ffb1a3e30f38451a524cd7472;p=thirdparty%2Fsystemd.git

portable: add SystemCallFilter=@system-service to the three main portable service profiles

… but leave the "trusted" profile unmodified, it shall have full access
to all system calls, as before.
---

diff --git a/src/portable/profile/default/service.conf b/src/portable/profile/default/service.conf
index 993d3516387..792be50229e 100644
--- a/src/portable/profile/default/service.conf
+++ b/src/portable/profile/default/service.conf
@@ -27,4 +27,6 @@ LockPersonality=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native
diff --git a/src/portable/profile/nonetwork/service.conf b/src/portable/profile/nonetwork/service.conf
index 0d9c5a38d88..c81cebe03f2 100644
--- a/src/portable/profile/nonetwork/service.conf
+++ b/src/portable/profile/nonetwork/service.conf
@@ -25,6 +25,8 @@ LockPersonality=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native
 PrivateNetwork=yes
 IPAddressDeny=any
diff --git a/src/portable/profile/strict/service.conf b/src/portable/profile/strict/service.conf
index d12620fc99c..d10fb5a1e8c 100644
--- a/src/portable/profile/strict/service.conf
+++ b/src/portable/profile/strict/service.conf
@@ -23,6 +23,8 @@ NoNewPrivileges=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native
 PrivateNetwork=yes
 IPAddressDeny=any