summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2017-02-08 22:32:37 +0100
committerLennart Poettering <lennart@poettering.net>2017-02-09 16:12:03 +0100
commit7f396e5f66e91caf450890c34bc9e00b717aae86 (patch)
tree059b1dc6e1031891889d0fb9d46b93ba8ef1a4b0
parentdhcp-server: add two missing OOM checks (diff)
downloadsystemd-7f396e5f66e91caf450890c34bc9e00b717aae86.tar.xz
systemd-7f396e5f66e91caf450890c34bc9e00b717aae86.zip
units: set SystemCallArchitectures=native on all our long-running services
-rw-r--r--units/systemd-ask-password-console.service.in1
-rw-r--r--units/systemd-ask-password-wall.service.in1
-rw-r--r--units/systemd-coredump@.service.in1
-rw-r--r--units/systemd-hostnamed.service.in1
-rw-r--r--units/systemd-importd.service.in1
-rw-r--r--units/systemd-initctl.service.in3
-rw-r--r--units/systemd-journal-gatewayd.service.in1
-rw-r--r--units/systemd-journal-remote.service.in1
-rw-r--r--units/systemd-journal-upload.service.in1
-rw-r--r--units/systemd-journald.service.in1
-rw-r--r--units/systemd-localed.service.in1
-rw-r--r--units/systemd-logind.service.in1
-rw-r--r--units/systemd-machined.service.in1
-rw-r--r--units/systemd-networkd.service.m4.in1
-rw-r--r--units/systemd-resolved.service.m4.in1
-rw-r--r--units/systemd-timedated.service.in1
-rw-r--r--units/systemd-timesyncd.service.in1
-rw-r--r--units/systemd-udevd.service.in1
18 files changed, 19 insertions, 1 deletions
diff --git a/units/systemd-ask-password-console.service.in b/units/systemd-ask-password-console.service.in
index a24fa51903..adaa60da87 100644
--- a/units/systemd-ask-password-console.service.in
+++ b/units/systemd-ask-password-console.service.in
@@ -16,3 +16,4 @@ ConditionPathExists=!/run/plymouth/pid
[Service]
ExecStart=@rootbindir@/systemd-tty-ask-password-agent --watch --console
+SystemCallArchitectures=native
diff --git a/units/systemd-ask-password-wall.service.in b/units/systemd-ask-password-wall.service.in
index 0eaa274794..be380023a7 100644
--- a/units/systemd-ask-password-wall.service.in
+++ b/units/systemd-ask-password-wall.service.in
@@ -13,3 +13,4 @@ After=systemd-user-sessions.service
[Service]
ExecStartPre=-@SYSTEMCTL@ stop systemd-ask-password-console.path systemd-ask-password-console.service systemd-ask-password-plymouth.path systemd-ask-password-plymouth.service
ExecStart=@rootbindir@/systemd-tty-ask-password-agent --wall
+SystemCallArchitectures=native
diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
index 588c8d629c..8ae296ff2b 100644
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@@ -22,3 +22,4 @@ OOMScoreAdjust=500
PrivateNetwork=yes
ProtectSystem=full
RuntimeMaxSec=5min
+SystemCallArchitectures=native
diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index edc5a1722a..89d942b072 100644
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -26,3 +26,4 @@ MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
+SystemCallArchitectures=native
diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in
index ac27c2bcba..2a8a683d95 100644
--- a/units/systemd-importd.service.in
+++ b/units/systemd-importd.service.in
@@ -21,3 +21,4 @@ MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io
+SystemCallArchitectures=native
diff --git a/units/systemd-initctl.service.in b/units/systemd-initctl.service.in
index 27e663c8dc..5505309e92 100644
--- a/units/systemd-initctl.service.in
+++ b/units/systemd-initctl.service.in
@@ -11,5 +11,6 @@ Documentation=man:systemd-initctl.service(8)
DefaultDependencies=no
[Service]
-ExecStart=@rootlibexecdir@/systemd-initctl
NotifyAccess=all
+ExecStart=@rootlibexecdir@/systemd-initctl
+SystemCallArchitectures=native
diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in
index efefaa4244..b0b934deb2 100644
--- a/units/systemd-journal-gatewayd.service.in
+++ b/units/systemd-journal-gatewayd.service.in
@@ -25,6 +25,7 @@ ProtectKernelTunables=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+SystemCallArchitectures=native
# If there are many split upjournal files we need a lot of fds to
# access them all and combine
diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in
index 753dd6c158..bc384b8382 100644
--- a/units/systemd-journal-remote.service.in
+++ b/units/systemd-journal-remote.service.in
@@ -25,6 +25,7 @@ ProtectKernelTunables=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+SystemCallArchitectures=native
[Install]
Also=systemd-journal-remote.socket
diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in
index d8fd243620..d28a62bb35 100644
--- a/units/systemd-journal-upload.service.in
+++ b/units/systemd-journal-upload.service.in
@@ -25,6 +25,7 @@ ProtectKernelTunables=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+SystemCallArchitectures=native
# If there are many split up journal files we need a lot of fds to
# access them all and combine
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index 712ce55483..b2e7eeeda3 100644
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -28,6 +28,7 @@ MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
+SystemCallArchitectures=native
# Increase the default a bit in order to allow many simultaneous
# services being run since we keep one fd open per service. Also, when
diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
index df829e1164..af2cdfffbe 100644
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -26,3 +26,4 @@ MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
+SystemCallArchitectures=native
diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index 0b6de35733..fcbfd1debe 100644
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -29,6 +29,7 @@ MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io
+SystemCallArchitectures=native
# Increase the default a bit in order to allow many simultaneous
# logins since we keep one fd open per session.
diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
index 911ead79ee..3c46d04f64 100644
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -21,6 +21,7 @@ MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io
+SystemCallArchitectures=native
# Note that machined cannot be placed in a mount namespace, since it
# needs access to the host's mount namespace in order to implement the
diff --git a/units/systemd-networkd.service.m4.in b/units/systemd-networkd.service.m4.in
index d1cf3fc133..4596d31d0f 100644
--- a/units/systemd-networkd.service.m4.in
+++ b/units/systemd-networkd.service.m4.in
@@ -35,6 +35,7 @@ MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
+SystemCallArchitectures=native
[Install]
WantedBy=multi-user.target
diff --git a/units/systemd-resolved.service.m4.in b/units/systemd-resolved.service.m4.in
index 0f0440ddaf..dcacbdaeab 100644
--- a/units/systemd-resolved.service.m4.in
+++ b/units/systemd-resolved.service.m4.in
@@ -35,6 +35,7 @@ MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
+SystemCallArchitectures=native
[Install]
WantedBy=multi-user.target
diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index e8c4d5ed4b..7608d9da28 100644
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -24,3 +24,4 @@ MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX
SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
+SystemCallArchitectures=native
diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index 9a6c6ea60d..46b81ebab3 100644
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -34,6 +34,7 @@ MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
+SystemCallArchitectures=native
[Install]
WantedBy=sysinit.target
diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
index 46d637883b..fc037b5a5c 100644
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@@ -28,3 +28,4 @@ MountFlags=slave
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
+SystemCallArchitectures=native