From c565a7abd1964cacbd6bad1ca9aa796bc99d4621 Mon Sep 17 00:00:00 2001 From: Steve Cliff Date: Sat, 2 May 2026 13:40:43 +0100 Subject: [PATCH] =?UTF-8?q?agent=20unit:=20drop=20SystemCallFilter=20?= =?UTF-8?q?=E2=80=94=20was=20killing=20restic=20with=20SIGSYS?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Allow-list filter @system-service excludes some syscalls Go's runtime + restic's file scanner reach for; init job died immediately with "bad system call (core dumped)". CapabilityBounding already constrains what root can do; the Protect*/Restrict* toggles still cover network / kernel / mount / namespace. Net effect on the threat model is negligible vs the operational cost. Co-Authored-By: Claude Opus 4.7 (1M context) --- deploy/install/restic-manager-agent.service | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/deploy/install/restic-manager-agent.service b/deploy/install/restic-manager-agent.service index e253ccc..01931e1 100644 --- a/deploy/install/restic-manager-agent.service +++ b/deploy/install/restic-manager-agent.service @@ -53,8 +53,11 @@ RestrictNamespaces=true LockPersonality=true MemoryDenyWriteExecute=true SystemCallArchitectures=native -SystemCallFilter=@system-service -SystemCallFilter=~@privileged @resources @reboot @swap @module @raw-io +# (No SystemCallFilter — the cap drop above already constrains what +# root can do; an allow-list filter killed restic with SIGSYS during +# init because @system-service excludes some of the syscalls Go's +# runtime + restic's file scanner reach for. The Protect*/Restrict* +# toggles still cover network / kernel / mount / namespace.) [Install] WantedBy=multi-user.target