Merge pull request #67 from safing/fix/remove-syscall-filter

Remove SystemCall restrictions from service file
safing · Jan 26, 2022 · 023367e · 023367e
2 parents 2fce078 + 19c76c7
commit 023367e
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 12 deletions.
diff --git a/linux/portmaster.service b/linux/portmaster.service
@@ -25,19 +25,18 @@ ProtectSystem=true
 #ReadWritePaths=/run/xtables.lock
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 RestrictNamespaces=yes
-RestrictSUIDSGID=yes
 # In future version portmaster will require access to user home
 # directories to verify application permissions.
 ProtectHome=read-only
 ProtectKernelTunables=yes
 ProtectKernelLogs=yes
 ProtectControlGroups=yes
 PrivateDevices=yes
-AmbientCapabilities=cap_chown cap_kill cap_net_admin cap_net_bind_service cap_net_broadcast cap_net_raw cap_sys_module cap_sys_ptrace cap_dac_override
-CapabilityBoundingSet=cap_chown cap_kill cap_net_admin cap_net_bind_service cap_net_broadcast cap_net_raw cap_sys_module cap_sys_ptrace cap_dac_override
-SystemCallArchitectures=native
-SystemCallFilter=@system-service @module
-SystemCallErrorNumber=EPERM
+AmbientCapabilities=cap_chown cap_kill cap_net_admin cap_net_bind_service cap_net_broadcast cap_net_raw cap_sys_module cap_sys_ptrace cap_dac_override cap_fowner cap_fsetid
+CapabilityBoundingSet=cap_chown cap_kill cap_net_admin cap_net_bind_service cap_net_broadcast cap_net_raw cap_sys_module cap_sys_ptrace cap_dac_override cap_fowner cap_fsetid
+# SystemCallArchitectures=native
+# SystemCallFilter=@system-service @module
+# SystemCallErrorNumber=EPERM
 ExecStart=/opt/safing/portmaster/portmaster-start --data /opt/safing/portmaster core -- $PORTMASTER_ARGS
 ExecStopPost=-/opt/safing/portmaster/portmaster-start recover-iptables
 

diff --git a/linux/templates/snippets/install-systemd-utils.sh b/linux/templates/snippets/install-systemd-utils.sh
@@ -18,12 +18,6 @@ installSystemdSupport() {
             changed="True"
         fi
 
-        # SystemCallFilter groups are added in 231 so make sure we comment it out
-        if [ "${systemd_version}" -lt 231 ]; then
-            sed -i "s/^SystemCall/#SystemCall/g" /opt/safing/portmaster/portmaster.service ||:
-            changed="True"
-        fi
-
         if [ "${changed}" = "True" ] && [ "$1" = "upgrade" ]; then
             systemctl daemon-reload ||:
         fi