From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 12 Nov 2018 18:21:09 +0000 (+0100)
Subject: units: also change portabled's syscall filter to a whitelist
X-Git-Tag: v240~339
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=99cd001d4c27c90cd9c0c66f88dc3673bb39ce73;p=thirdparty%2Fsystemd.git

units: also change portabled's syscall filter to a whitelist
---

diff --git a/units/systemd-portabled.service.in b/units/systemd-portabled.service.in
index a868f61dbac..a44cdb30a42 100644
--- a/units/systemd-portabled.service.in
+++ b/units/systemd-portabled.service.in
@@ -20,7 +20,7 @@ CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_C
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
-SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
+SystemCallFilter=@system-service @mount
 SystemCallArchitectures=native
 LockPersonality=yes
 IPAddressDeny=any