X-Git-Url: https://code.wpia.club/?p=gigi.git;a=blobdiff_plain;f=debian%2Fgigi-proxy.service.d%2FSystemCallFilter.conf;fp=debian%2Fgigi-proxy.service.d%2FSystemCallFilter.conf;h=e0a692c41f6300072bc1526e318f9beea1c78950;hp=0000000000000000000000000000000000000000;hb=a9405c7e4b3aaa670f4b53da18c0b15448c87c2c;hpb=cd8500a5faf420aace24ee253a4f2407eb85588d

diff --git a/debian/gigi-proxy.service.d/SystemCallFilter.conf b/debian/gigi-proxy.service.d/SystemCallFilter.conf
new file mode 100644
index 00000000..e0a692c4
--- /dev/null
+++ b/debian/gigi-proxy.service.d/SystemCallFilter.conf
@@ -0,0 +1,23 @@
+[Service]
+# the system call filter: reset the filter to empty, then each subsequent assignment adds to it
+SystemCallFilter=
+# read and write
+SystemCallFilter=@basic-io
+# @file-system (systemd commit 1a1b13c957, not in any release yet)
+SystemCallFilter=open close stat stat64 fstat fstat64 lstat lstat64 creat mkdir getdents getdents64 getcwd access fcntl fcntl64 mmap munmap readlink
+# event loop (is there data on a socket?)
+SystemCallFilter=@io-event
+# network connections
+SystemCallFilter=@network-io
+# JIT code generation
+SystemCallFilter=mprotect brk
+# signals
+SystemCallFilter=rt_sigaction rt_sigprocmask
+# threads
+SystemCallFilter=clone gettid futex set_robust_list set_tid_address sched_getaffinity sched_setaffinity sched_yield
+# allow nio to detect platform
+SystemCallFilter=uname
+# not sure what these are used for
+SystemCallFilter=arch_prctl sysinfo setrlimit madvise pipe
+# don't kill the process when an illegal syscall is issued, just return Operation not permitted
+SystemCallErrorNumber=EPERM