From e0e9177f5ede99096ec37072d01ea625c939d805 Mon Sep 17 00:00:00 2001
From: matt335672 <30179339+matt335672@users.noreply.github.com>
Date: Fri, 22 Mar 2024 11:38:42 +0000
Subject: [PATCH] Simplify allowed system calls for xrdp

- The command 'systemd-analyze syscall-filter' shows that the group
  @system-service added to the xrdp-service SystemCallFilter
  actually includes all of the other listed groups and individual
  services.  Consequently this line can be simplified to just specify
  @system-service.

- (reversion) The SystemCallErrorNumber setting in xrdp.service has been
  removed so that unauthorized system calls cause an immediate process exit.
---
 instfiles/xrdp.service.in | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/instfiles/xrdp.service.in b/instfiles/xrdp.service.in
index be24535a27..92ce035a69 100644
--- a/instfiles/xrdp.service.in
+++ b/instfiles/xrdp.service.in
@@ -10,9 +10,7 @@ EnvironmentFile=-@sysconfdir@/sysconfig/xrdp
 EnvironmentFile=-@sysconfdir@/default/xrdp
 ExecStart=@sbindir@/xrdp $XRDP_OPTIONS --nodaemon
 SystemCallArchitectures=native
-SystemCallFilter=@basic-io @file-system @io-event @ipc @network-io @process
-SystemCallFilter=@signal @system-service ioctl madvise sysinfo uname
-SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
 
 [Install]
 WantedBy=multi-user.target