From 6489ccfe48bb21a43694b60173a49d140b4fb91f Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 9 Feb 2017 11:22:08 +0100
Subject: units: make use of @reboot and @swap in our long-running service
 SystemCallFilter= settings

Tighten security up a bit more.
---
 units/systemd-logind.service.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'units/systemd-logind.service.in')

diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index 93abeb3dca..e20a3ad057 100644
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -29,7 +29,7 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
-SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
 
 # Increase the default a bit in order to allow many simultaneous
-- 
cgit v1.2.1