From: Lennart Poettering Date: Wed, 8 Feb 2017 21:32:37 +0000 (+0100) Subject: units: set SystemCallArchitectures=native on all our long-running services X-Git-Tag: v234~401^2~5 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7f396e5f66e91caf450890c34bc9e00b717aae86;p=thirdparty%2Fsystemd.git units: set SystemCallArchitectures=native on all our long-running services --- diff --git a/units/systemd-ask-password-console.service.in b/units/systemd-ask-password-console.service.in index a24fa51903c..adaa60da87f 100644 --- a/units/systemd-ask-password-console.service.in +++ b/units/systemd-ask-password-console.service.in @@ -16,3 +16,4 @@ ConditionPathExists=!/run/plymouth/pid [Service] ExecStart=@rootbindir@/systemd-tty-ask-password-agent --watch --console +SystemCallArchitectures=native diff --git a/units/systemd-ask-password-wall.service.in b/units/systemd-ask-password-wall.service.in index 0eaa2747944..be380023a7f 100644 --- a/units/systemd-ask-password-wall.service.in +++ b/units/systemd-ask-password-wall.service.in @@ -13,3 +13,4 @@ After=systemd-user-sessions.service [Service] ExecStartPre=-@SYSTEMCTL@ stop systemd-ask-password-console.path systemd-ask-password-console.service systemd-ask-password-plymouth.path systemd-ask-password-plymouth.service ExecStart=@rootbindir@/systemd-tty-ask-password-agent --wall +SystemCallArchitectures=native diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in index 588c8d629c3..8ae296ff2bb 100644 --- a/units/systemd-coredump@.service.in +++ b/units/systemd-coredump@.service.in @@ -22,3 +22,4 @@ OOMScoreAdjust=500 PrivateNetwork=yes ProtectSystem=full RuntimeMaxSec=5min +SystemCallArchitectures=native diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in index edc5a1722ac..89d942b0722 100644 --- a/units/systemd-hostnamed.service.in +++ b/units/systemd-hostnamed.service.in @@ -26,3 +26,4 @@ MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io +SystemCallArchitectures=native diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in index ac27c2bcbab..2a8a683d95f 100644 --- a/units/systemd-importd.service.in +++ b/units/systemd-importd.service.in @@ -21,3 +21,4 @@ MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io +SystemCallArchitectures=native diff --git a/units/systemd-initctl.service.in b/units/systemd-initctl.service.in index 27e663c8dc4..5505309e920 100644 --- a/units/systemd-initctl.service.in +++ b/units/systemd-initctl.service.in @@ -11,5 +11,6 @@ Documentation=man:systemd-initctl.service(8) DefaultDependencies=no [Service] -ExecStart=@rootlibexecdir@/systemd-initctl NotifyAccess=all +ExecStart=@rootlibexecdir@/systemd-initctl +SystemCallArchitectures=native diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in index efefaa4244d..b0b934deb21 100644 --- a/units/systemd-journal-gatewayd.service.in +++ b/units/systemd-journal-gatewayd.service.in @@ -25,6 +25,7 @@ ProtectKernelTunables=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +SystemCallArchitectures=native # If there are many split upjournal files we need a lot of fds to # access them all and combine diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in index 753dd6c1588..bc384b83824 100644 --- a/units/systemd-journal-remote.service.in +++ b/units/systemd-journal-remote.service.in @@ -25,6 +25,7 @@ ProtectKernelTunables=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +SystemCallArchitectures=native [Install] Also=systemd-journal-remote.socket diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in index d8fd2436202..d28a62bb35e 100644 --- a/units/systemd-journal-upload.service.in +++ b/units/systemd-journal-upload.service.in @@ -25,6 +25,7 @@ ProtectKernelTunables=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +SystemCallArchitectures=native # If there are many split up journal files we need a lot of fds to # access them all and combine diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in index 712ce554833..b2e7eeeda3f 100644 --- a/units/systemd-journald.service.in +++ b/units/systemd-journald.service.in @@ -28,6 +28,7 @@ MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io +SystemCallArchitectures=native # Increase the default a bit in order to allow many simultaneous # services being run since we keep one fd open per service. Also, when diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in index df829e11644..af2cdfffbeb 100644 --- a/units/systemd-localed.service.in +++ b/units/systemd-localed.service.in @@ -26,3 +26,4 @@ MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io +SystemCallArchitectures=native diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in index 0b6de357330..fcbfd1debeb 100644 --- a/units/systemd-logind.service.in +++ b/units/systemd-logind.service.in @@ -29,6 +29,7 @@ MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io +SystemCallArchitectures=native # Increase the default a bit in order to allow many simultaneous # logins since we keep one fd open per session. diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in index 911ead79eea..3c46d04f64e 100644 --- a/units/systemd-machined.service.in +++ b/units/systemd-machined.service.in @@ -21,6 +21,7 @@ MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io +SystemCallArchitectures=native # Note that machined cannot be placed in a mount namespace, since it # needs access to the host's mount namespace in order to implement the diff --git a/units/systemd-networkd.service.m4.in b/units/systemd-networkd.service.m4.in index d1cf3fc133d..4596d31d0f4 100644 --- a/units/systemd-networkd.service.m4.in +++ b/units/systemd-networkd.service.m4.in @@ -35,6 +35,7 @@ MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io +SystemCallArchitectures=native [Install] WantedBy=multi-user.target diff --git a/units/systemd-resolved.service.m4.in b/units/systemd-resolved.service.m4.in index 0f0440ddaf6..dcacbdaeab2 100644 --- a/units/systemd-resolved.service.m4.in +++ b/units/systemd-resolved.service.m4.in @@ -35,6 +35,7 @@ MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io +SystemCallArchitectures=native [Install] WantedBy=multi-user.target diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in index e8c4d5ed4ba..7608d9da289 100644 --- a/units/systemd-timedated.service.in +++ b/units/systemd-timedated.service.in @@ -24,3 +24,4 @@ MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io +SystemCallArchitectures=native diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in index 9a6c6ea60dd..46b81ebab3a 100644 --- a/units/systemd-timesyncd.service.in +++ b/units/systemd-timesyncd.service.in @@ -34,6 +34,7 @@ MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io +SystemCallArchitectures=native [Install] WantedBy=sysinit.target diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in index 46d637883bd..fc037b5a5cd 100644 --- a/units/systemd-udevd.service.in +++ b/units/systemd-udevd.service.in @@ -28,3 +28,4 @@ MountFlags=slave MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 +SystemCallArchitectures=native