From 0244416aacbad03e4ebe8f2c95c7861a318916ea Mon Sep 17 00:00:00 2001
From: Charlie <2747302+CharlieC3@users.noreply.github.com>
Date: Thu, 24 Aug 2023 16:54:47 -0400
Subject: [PATCH] security: restrict abis in bitcoind.service

It's recommended to restrict the possible application binary interfaces that can be used when setting `MemoryDenyWriteExecute=true` to ensure it cannot be circumvented.
---
 contrib/init/bitcoind.service | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/contrib/init/bitcoind.service b/contrib/init/bitcoind.service
index 87da17f9552..ade8a05926f 100644
--- a/contrib/init/bitcoind.service
+++ b/contrib/init/bitcoind.service
@@ -81,5 +81,8 @@ PrivateDevices=true
 # Deny the creation of writable and executable memory mappings.
 MemoryDenyWriteExecute=true
 
+# Restrict ABIs to help ensure MemoryDenyWriteExecute is enforced
+SystemCallArchitectures=native
+
 [Install]
 WantedBy=multi-user.target