This limits what the uuid daemon has access to when it runs. Further improving this with additional option or making things even tighter is most likely possible. Signed-off-by: Andreas Henriksson <andreas@xxxxxxxx> --- misc-utils/uuidd.service.in | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/misc-utils/uuidd.service.in b/misc-utils/uuidd.service.in index 45f1f7334..dd38b645c 100644 --- a/misc-utils/uuidd.service.in +++ b/misc-utils/uuidd.service.in @@ -17,8 +17,7 @@ ProtectKernelModules=yes ProtectControlGroups=yes RestrictAddressFamilies=AF_UNIX MemoryDenyWriteExecute=yes -SystemCallFilter=@default @file-system @basic-io @system-service @signal @io-eve -nt @network-io +SystemCallFilter=@default @file-system @basic-io @system-service @signal @io-event @network-io [Install] Also=uuidd.socket -- 2.19.1
