Skip to content

Commit

Permalink
Simplify allowed system calls for xrdp
Browse files Browse the repository at this point in the history 
- The command 'systemd-analyze syscall-filter' shows that the group
  @System-service added to the xrdp-service SystemCallFilter
  actually includes all of the other listed groups and individual
  services.  Consequently this line can be simplified to just specify
  @System-service.

- (reversion) The SystemCallErrorNumber setting in xrdp.service has been
  removed so that unauthorized system calls cause an immediate process exit.
  • Loading branch information
@matt335672
matt335672 committed Mar 22, 2024
1 parent 45df240 commit e0e9177
Showing 1 changed file with 1 addition and 3 deletions.
4 changes: 1 addition & 3 deletions instfiles/xrdp.service.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,7 @@ EnvironmentFile=-@sysconfdir@/sysconfig/xrdp
EnvironmentFile=-@sysconfdir@/default/xrdp
ExecStart=@sbindir@/xrdp $XRDP_OPTIONS --nodaemon
SystemCallArchitectures=native
SystemCallFilter=@basic-io @file-system @io-event @ipc @network-io @process
SystemCallFilter=@signal @system-service ioctl madvise sysinfo uname
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service

[Install]
WantedBy=multi-user.target

0 comments on commit e0e9177

Please sign in to comment.