MINOR: systemd: Add SystemD's SystemCallFilter option to the unit file This option takes away system calls that are unneeded for haproxy's operation and thus is a good defense in depth measure.

commit: 2788a39c07621e7af0d2efa34b4adabe8a01ad31 [log] [tgz]
author: Tim Duesterhus <tim@bastelstu.be> Tue Feb 27 20:19:05 2018 +0100
committer: Willy Tarreau <w@1wt.eu> Thu Mar 01 15:57:15 2018 +0100
tree: a980dbd34d2f1f7e59a048e63044d8280e0cb8c0
parent: 8a9659212e4d491e4195de72aee4149db6359e09 [diff]
diff --git a/contrib/systemd/haproxy.service.in b/contrib/systemd/haproxy.service.in
index 846bcc7..7a8b6be 100644
--- a/contrib/systemd/haproxy.service.in
+++ b/contrib/systemd/haproxy.service.in

@@ -27,6 +27,8 @@
 # ProtectKernelTunables=true
 # ProtectKernelModules=true
 # ProtectControlGroups=true
+# If your SystemD version supports them, you can add: @reboot, @swap, @sync
+# SystemCallFilter=~@cpu-emulation @keyring @module @obsolete @raw-io
 
 [Install]
 WantedBy=multi-user.target
commit	2788a39c07621e7af0d2efa34b4adabe8a01ad31	[log] [tgz]
author	Tim Duesterhus <tim@bastelstu.be>	Tue Feb 27 20:19:05 2018 +0100
committer	Willy Tarreau <w@1wt.eu>	Thu Mar 01 15:57:15 2018 +0100
tree	a980dbd34d2f1f7e59a048e63044d8280e0cb8c0
parent	8a9659212e4d491e4195de72aee4149db6359e09 [diff]