From 9fd0964e1ca1041cb2cffe5e201e969eede0d626 Mon Sep 17 00:00:00 2001
From: Carl Tashian <carl@smallstep.com>
Date: Thu, 28 Jan 2021 09:45:20 -0800
Subject: [PATCH] Add SystemCallFilter=@system-service

---
 systemd/step-ca.service | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/systemd/step-ca.service b/systemd/step-ca.service
index 1941a634..db745c1a 100644
--- a/systemd/step-ca.service
+++ b/systemd/step-ca.service
@@ -30,6 +30,7 @@ SecureBits=keep-caps
 NoNewPrivileges=yes
 
 ; Sandboxing
+; This works with YubiKey PIV (via pcscd), and presumably with YubiHSM2 via http connector
 ProtectSystem=full
 ProtectHome=true
 RestrictNamespaces=true
@@ -44,8 +45,8 @@ LockPersonality=true
 RestrictSUIDSGID=true
 RemoveIPC=true
 RestrictRealtime=true
-; confirmed this works, even with YubiKey PIV, and presumably with YubiHSM2:
 PrivateDevices=true
+SystemCallFilter=@system-service
 MemoryDenyWriteExecute=true
 ReadWriteDirectories=/etc/step-ca/db