This option takes away system calls that are unneeded for haproxy's operation and thus is a good defense in depth measure. --- contrib/systemd/haproxy.service.in | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/contrib/systemd/haproxy.service.in b/contrib/systemd/haproxy.service.in index 846bcc77f..7a8b6bead 100644 --- a/contrib/systemd/haproxy.service.in +++ b/contrib/systemd/haproxy.service.in @@ -27,6 +27,8 @@ Type=notify # ProtectKernelTunables=true # ProtectKernelModules=true # ProtectControlGroups=true +# If your SystemD version supports them, you can add: @reboot, @swap, @sync +# SystemCallFilter=~@cpu-emulation @keyring @module @obsolete @raw-io [Install] WantedBy=multi-user.target -- 2.16.2