RepoMirrors
/
haproxy
mirror of http://git.haproxy.org/git/haproxy.git/
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

MINOR: systemd: Add SystemD's SystemCallFilter option to the unit file 

This option takes away system calls that are unneeded for haproxy's
operation and thus is a good defense in depth measure.
This commit is contained in:
Tim Duesterhus 2018-02-27 20:19:05 +01:00 committed by Willy Tarreau
parent 8a9659212e
commit 2788a39c07
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
contrib/systemd/haproxy.service.in
View File

@ -27,6 +27,8 @@ Type=notify
# ProtectKernelTunables=true
# ProtectKernelModules=true
# ProtectControlGroups=true
# If your SystemD version supports them, you can add: @reboot, @swap, @sync
# SystemCallFilter=~@cpu-emulation @keyring @module @obsolete @raw-io
[Install]
WantedBy=multi-user.target