core: add a system-wide SystemCallArchitectures= setting

This is useful to prohibit execution of non-native processes on systems, for example 32bit binaries on 64bit systems, this lowering the attack service on incorrect syscall and ioctl 32→64bit mappings.
author: Lennart Poettering <lennart@poettering.net> 2014-02-13 01:35:27 +0100
committer: Lennart Poettering <lennart@poettering.net> 2014-02-13 01:40:50 +0100
commit: d3b1c5083359faa6cfca81810cf87ef70d0290f6 (patch)
tree: cfff30a9ffb6cfc83b8a23c39685ef19ba8b3a67 /src/core/system.conf
parent: 624b5a636f2e0003a67025274d7afe9ebc55423b (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/src/core/system.conf b/src/core/system.conf
index 38bbca5b41..7a2d7b4d09 100644
--- a/src/core/system.conf
+++ b/src/core/system.conf
@@ -17,13 +17,14 @@
 #ShowStatus=yes
 #CrashChVT=1
 #CPUAffinity=1 2
-#DefaultStandardOutput=journal
-#DefaultStandardError=inherit
 #JoinControllers=cpu,cpuacct net_cls,net_prio
 #RuntimeWatchdogSec=0
 #ShutdownWatchdogSec=10min
 #CapabilityBoundingSet=
+#SystemCallArchitectures=
 #TimerSlackNSec=
+#DefaultStandardOutput=journal
+#DefaultStandardError=inherit
 #DefaultTimeoutStartSec=90s
 #DefaultTimeoutStopSec=90s
 #DefaultRestartSec=100ms
author	Lennart Poettering <lennart@poettering.net>	2014-02-13 01:35:27 +0100
committer	Lennart Poettering <lennart@poettering.net>	2014-02-13 01:40:50 +0100
commit	d3b1c5083359faa6cfca81810cf87ef70d0290f6 (patch)
tree	cfff30a9ffb6cfc83b8a23c39685ef19ba8b3a67 /src/core/system.conf
parent	624b5a636f2e0003a67025274d7afe9ebc55423b (diff)