HorlogeSkynet eede2e70d1 sec: enforces SystemCallFilter in the "common and reliable pattern" ...

Let's advise a more thorough seccomp setup through available syscalls
set reduction. Most of services should run with `@system-service`
predefined set. Although, we explicit block `memfd_create` syscall, as
recommended in `MemoryDenyWriteExecute` directive documentation.

2026-05-27 23:22:29 +02:00

..

systemd_service_hardening.md

sec: enforces SystemCallFilter in the "common and reliable pattern"

2026-05-27 23:22:29 +02:00