systemd(SystemCallFilter=~): allow resources group
This commit is contained in:
parent
0229ed60ec
commit
260ad07626
|
@ -22,7 +22,7 @@ IOSchedulingPriority=0
|
||||||
CapabilityBoundingSet=
|
CapabilityBoundingSet=
|
||||||
CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_CHROOT CAP_AUDIT_*
|
CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_CHROOT CAP_AUDIT_*
|
||||||
|
|
||||||
SystemCallFilter=~memfd_create @reboot @swap @resources @cpu-emulation @debug @module @clock @raw-io @obsolete
|
SystemCallFilter=~memfd_create @reboot @swap @cpu-emulation @debug @module @clock @raw-io @obsolete
|
||||||
ProtectProc=invisible
|
ProtectProc=invisible
|
||||||
ProcSubset=pid
|
ProcSubset=pid
|
||||||
ProtectHome=true
|
ProtectHome=true
|
||||||
|
|
Loading…
Reference in New Issue