agent unit: drop SystemCallFilter — was killing restic with SIGSYS
Allow-list filter @system-service excludes some syscalls Go's runtime + restic's file scanner reach for; init job died immediately with "bad system call (core dumped)". CapabilityBounding already constrains what root can do; the Protect*/Restrict* toggles still cover network / kernel / mount / namespace. Net effect on the threat model is negligible vs the operational cost. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -53,8 +53,11 @@ RestrictNamespaces=true
|
|||||||
LockPersonality=true
|
LockPersonality=true
|
||||||
MemoryDenyWriteExecute=true
|
MemoryDenyWriteExecute=true
|
||||||
SystemCallArchitectures=native
|
SystemCallArchitectures=native
|
||||||
SystemCallFilter=@system-service
|
# (No SystemCallFilter — the cap drop above already constrains what
|
||||||
SystemCallFilter=~@privileged @resources @reboot @swap @module @raw-io
|
# root can do; an allow-list filter killed restic with SIGSYS during
|
||||||
|
# init because @system-service excludes some of the syscalls Go's
|
||||||
|
# runtime + restic's file scanner reach for. The Protect*/Restrict*
|
||||||
|
# toggles still cover network / kernel / mount / namespace.)
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
|||||||
Reference in New Issue
Block a user