commit 7367a8fc4bbb4b8ea3991c9985f463fcdf0aa6d0 parent d938354148163f549dcdd92759832d686d276d88 Author: Chris Down <chris@chrisdown.name> Date: Fri, 17 Feb 2017 14:05:24 -0500 Do not filter syscalls in systemd init Since we don't write the applications we use, this is liable to break pretty easily for new/older versions than tested on. The other protections should be sufficient. Diffstat:
| M | init/clipmenud.service | | | 10 | ---------- |
1 file changed, 0 insertions(+), 10 deletions(-)
diff --git a/init/clipmenud.service b/init/clipmenud.service @@ -7,16 +7,6 @@ Restart=always RestartSec=0 Environment=DISPLAY=:0 -SystemCallFilter=@basic-io @default @io-event @ipc @network-io @process \ - brk fadvise64 getegid geteuid getgid getgroups getpgrp \ - getpid getppid getrlimit getuid ioctl mprotect rt_sigaction \ - rt_sigprocmask setitimer setsid sysinfo umask uname wait4 - -# @file-system will handle this once v233 is released, see -# http://bit.ly/2l1r8Ah for more details. -SystemCallFilter=access chdir close faccessat fcntl fstat getcwd mkdir mmap \ - munmap open stat statfs unlink - MemoryDenyWriteExecute=yes NoNewPrivileges=yes ProtectControlGroups=yes