From 2788a39c07621e7af0d2efa34b4adabe8a01ad31 Mon Sep 17 00:00:00 2001
From: Tim Duesterhus <tim@bastelstu.be>
Date: Tue, 27 Feb 2018 20:19:05 +0100
Subject: [PATCH] MINOR: systemd: Add SystemD's SystemCallFilter option to the
 unit file

This option takes away system calls that are unneeded for haproxy's
operation and thus is a good defense in depth measure.
---
 contrib/systemd/haproxy.service.in | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/contrib/systemd/haproxy.service.in b/contrib/systemd/haproxy.service.in
index 846bcc77f..7a8b6bead 100644
--- a/contrib/systemd/haproxy.service.in
+++ b/contrib/systemd/haproxy.service.in
@@ -27,6 +27,8 @@ Type=notify
 # ProtectKernelTunables=true
 # ProtectKernelModules=true
 # ProtectControlGroups=true
+# If your SystemD version supports them, you can add: @reboot, @swap, @sync
+# SystemCallFilter=~@cpu-emulation @keyring @module @obsolete @raw-io
 
 [Install]
 WantedBy=multi-user.target