From 9bf78e4a8094b50c7de1cd7267fc6b16cd391350 Mon Sep 17 00:00:00 2001
From: Daniel Richard G <skunk@iSKUNK.ORG>
Date: Mon, 22 May 2023 15:53:40 -0400
Subject: [PATCH] Add syscall filtering to xrdp systemd unit

---
 instfiles/xrdp.service.in | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/instfiles/xrdp.service.in b/instfiles/xrdp.service.in
index db52e31a..814d4de5 100644
--- a/instfiles/xrdp.service.in
+++ b/instfiles/xrdp.service.in
@@ -9,6 +9,8 @@ Type=exec
 EnvironmentFile=-@sysconfdir@/sysconfig/xrdp
 EnvironmentFile=-@sysconfdir@/default/xrdp
 ExecStart=@sbindir@/xrdp $XRDP_OPTIONS --nodaemon
+SystemCallArchitectures=native
+SystemCallFilter=@basic-io @file-system @io-event @ipc @network-io @process @signal ioctl madvise sysinfo uname
 
 [Install]
 WantedBy=multi-user.target