[Service]
# the system call filter: reset the filter to empty, then each subsequent assignment adds to it
SystemCallFilter=
# read and write
SystemCallFilter=@basic-io
# @file-system (systemd commit 1a1b13c957, not in any release yet)
SystemCallFilter=open close stat stat64 fstat fstat64 lstat lstat64 creat mkdir getdents getdents64 getcwd access fcntl fcntl64 mmap munmap readlink
# event loop (is there data on a socket?)
SystemCallFilter=@io-event
# network connections
SystemCallFilter=@network-io
# JIT code generation
SystemCallFilter=mprotect brk
# signals
SystemCallFilter=rt_sigaction rt_sigprocmask
# threads
SystemCallFilter=clone gettid futex set_robust_list set_tid_address sched_getaffinity sched_setaffinity sched_yield
# allow nio to detect platform
SystemCallFilter=uname
# not sure what these are used for
SystemCallFilter=arch_prctl sysinfo setrlimit madvise pipe
# don't kill the process when an illegal syscall is issued, just return Operation not permitted
SystemCallErrorNumber=EPERM