units: add SystemCallErrorNumber=EPERM to systemd-portabled.service

We use that on all other services, and hence should here too. Otherwise the service will be killed with SIGSYS when doing something not whitelisted, which is a bit crass.
author: Lennart Poettering <lennart@poettering.net> 2019-07-07 17:28:57 +0200
committer: Yu Watanabe <watanabe.yu+github@gmail.com> 2019-07-08 13:47:04 +0900
commit: ba2fb17d8b5c8fc66b41a2d04c03dd9ccb5f6de3 (patch)
tree: 3f0cbe1417affb8daae7f96ee11bf7f019eeb2eb /units
parent: 24e4b4a199edd7fa743b39a36aa14d312fb94be5 (diff)
download: systemd-ba2fb17d8b5c8fc66b41a2d04c03dd9ccb5f6de3.tar.gz
systemd-ba2fb17d8b5c8fc66b41a2d04c03dd9ccb5f6de3.tar.bz2
systemd-ba2fb17d8b5c8fc66b41a2d04c03dd9ccb5f6de3.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/units/systemd-portabled.service.in b/units/systemd-portabled.service.in
index a8eab94d02..c88d3597b7 100644
--- a/units/systemd-portabled.service.in
+++ b/units/systemd-portabled.service.in
@@ -22,6 +22,7 @@ ProtectHostname=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 SystemCallFilter=@system-service @mount
+SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native
 LockPersonality=yes
 IPAddressDeny=any
author	Lennart Poettering <lennart@poettering.net>	2019-07-07 17:28:57 +0200
committer	Yu Watanabe <watanabe.yu+github@gmail.com>	2019-07-08 13:47:04 +0900
commit	ba2fb17d8b5c8fc66b41a2d04c03dd9ccb5f6de3 (patch)
tree	3f0cbe1417affb8daae7f96ee11bf7f019eeb2eb /units
parent	24e4b4a199edd7fa743b39a36aa14d312fb94be5 (diff)
download	systemd-ba2fb17d8b5c8fc66b41a2d04c03dd9ccb5f6de3.tar.gz systemd-ba2fb17d8b5c8fc66b41a2d04c03dd9ccb5f6de3.tar.bz2 systemd-ba2fb17d8b5c8fc66b41a2d04c03dd9ccb5f6de3.zip