This option takes away system calls that are unneeded for haproxy's operation and thus is a good defense in depth measure.
There are more system call sets available in newer SystemD versions, but using those would make SystemD ignore the whole option when they are not supported. This patch adds a first basic subset that should be well supported. --- contrib/systemd/haproxy.service.in | 1 + 1 file changed, 1 insertion(+) diff --git a/contrib/systemd/haproxy.service.in b/contrib/systemd/haproxy.service.in index e64246728..7e993c2c4 100644 --- a/contrib/systemd/haproxy.service.in +++ b/contrib/systemd/haproxy.service.in @@ -13,6 +13,7 @@ Restart=always Type=notify ProtectHome=true ProtectSystem=true +SystemCallFilter=~@cpu-emulation @keyring @module @obsolete @raw-io [Install] WantedBy=multi-user.target -- 2.16.2
