[PATCH 1/2] paccache.service.in: Add @system-service to SystemCallFilter
The SystemCallFilter group @system-service includes some calls that are necessary for the service unit to run, that are not included in @file-system. Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com> --- src/paccache.service.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/paccache.service.in b/src/paccache.service.in index 0a280b3..a821daf 100644 --- a/src/paccache.service.in +++ b/src/paccache.service.in @@ -36,5 +36,5 @@ RestrictRealtime=yes RestrictSUIDSGID=yes RemoveIPC=yes PrivateMounts=yes -SystemCallFilter=@file-system +SystemCallFilter=@system-service @file-system SystemCallArchitectures=native -- 2.34.1
RestrictAddressFamilies used to not have an option to restrict all address families, but systemd 249 introduced a special value "none" exactly for this purpose. Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com> --- src/paccache.service.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/paccache.service.in b/src/paccache.service.in index a821daf..57390ea 100644 --- a/src/paccache.service.in +++ b/src/paccache.service.in @@ -28,7 +28,7 @@ ProtectKernelTunables=yes ProtectKernelModules=yes ProtectKernelLogs=yes ProtectControlGroups=yes -RestrictAddressFamilies=AF_UNIX +RestrictAddressFamilies=none RestrictNamespaces=yes LockPersonality=yes MemoryDenyWriteExecute=yes -- 2.34.1
On Tue, Nov 30, 2021 at 01:38:22PM +0100, Frederik “Freso” S. Olesen via pacman-contrib wrote:
The SystemCallFilter group @system-service includes some calls that are necessary for the service unit to run, that are not included in @file-system.
Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com>
hello. you can open mr at https://gitlab.archlinux.org/pacman/pacman-contrib -- Sincerely, Alexander | Trusted User
On Tue, Nov 30, 2021 at 05:02:52PM +0300, Alexander Epaneshnikov wrote:
On Tue, Nov 30, 2021 at 01:38:22PM +0100, Frederik “Freso” S. Olesen via pacman-contrib wrote:
The SystemCallFilter group @system-service includes some calls that are necessary for the service unit to run, that are not included in @file-system.
Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com>
hello. you can open mr at https://gitlab.archlinux.org/pacman/pacman-contrib
FYI I did that. https://gitlab.archlinux.org/pacman/pacman-contrib/-/merge_requests/3 -- Sincerely, Alexander | Trusted User
On Tue, Dec 07, 2021 at 01:14:09PM +0300, Alexander Epaneshnikov wrote:
On Tue, Nov 30, 2021 at 05:02:52PM +0300, Alexander Epaneshnikov wrote:
On Tue, Nov 30, 2021 at 01:38:22PM +0100, Frederik “Freso” S. Olesen via pacman-contrib wrote:
The SystemCallFilter group @system-service includes some calls that are necessary for the service unit to run, that are not included in @file-system.
Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com>
hello. you can open mr at https://gitlab.archlinux.org/pacman/pacman-contrib
Nice! I hadn’t realised that gitlab.AL had been opened to the public now. Last time I checked, only devs and TUs and maybe a few others had access. :)
FYI I did that. https://gitlab.archlinux.org/pacman/pacman-contrib/-/merge_requests/3
Yeah, I just today managed to get access to it. (It wasn’t clear which e-mail it wanted me to verify, so I had to dig through a bunch of addresses before finding the verification mail.) Anyway, as you said, you made the PR now, so thanks for that. At least I have access now for future PRs. :p -- Solidarity, Frederik “Freso” S. Olesen [he/him // they/them] https://freso.dk/ // https://allmylinks.freso.dk/
participants (2)
-
Alexander Epaneshnikov
-
Frederik “Freso” S. Olesen