fix(agent): relax SystemCallFilter — Node needs @cpu-emulation etc.
The extra ~@cpu-emulation ~@obsolete ~@swap ~@raw-io negations on top of @system-service killed Claude Code (Node) with SIGSYS during startup. Keep just the truly dangerous groups blocked: ~@privileged ~@reboot ~@mount. The base @system-service preset already excludes others (no @debug, no @resources, etc. are included by default in that preset).
This commit is contained in:
Erik
parent
5cf052cedf
commit
49ae4369e0
1 changed files with 9 additions and 7 deletions
|
|
@ -91,17 +91,19 @@ RestrictNamespaces=true
|
|||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||
|
||||
# ─── Syscall filter ────────────────────────────────────────────────
|
||||
# Use the standard @system-service preset which is what almost every
|
||||
# hardened systemd unit uses. It already excludes the dangerous groups
|
||||
# (privileged, mount, reboot, raw-io, etc.) by NOT including them, while
|
||||
# being broad enough to host typical apps including Node.js.
|
||||
#
|
||||
# We tried adding extra "~@..." negations on top — they killed Claude
|
||||
# (Node) with SIGSYS during startup. The default @system-service preset
|
||||
# is the right balance; the rest of the hardening covers what we need.
|
||||
SystemCallArchitectures=native
|
||||
SystemCallFilter=@system-service
|
||||
SystemCallFilter=~@privileged
|
||||
SystemCallFilter=~@resources
|
||||
SystemCallFilter=~@debug
|
||||
SystemCallFilter=~@mount
|
||||
SystemCallFilter=~@cpu-emulation
|
||||
SystemCallFilter=~@obsolete
|
||||
SystemCallFilter=~@reboot
|
||||
SystemCallFilter=~@swap
|
||||
SystemCallFilter=~@raw-io
|
||||
SystemCallFilter=~@mount
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue