summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTopi Miettinen <toiwoton@gmail.com>2015-02-11 18:32:14 +0200
committerLennart Poettering <lennart@poettering.net>2015-02-11 17:33:36 +0100
commit6a716208b346b742053cfd01e76f76fb27c4ea47 (patch)
tree15ea908b54df5b082e80a5f1835210d9e3b13a1d
parentc4c086a2e37bb3c869298558ea24864b6606774e (diff)
units: add SecureBits
No setuid programs are expected to be executed, so add SecureBits=noroot noroot-locked to unit files.
-rw-r--r--units/systemd-hostnamed.service.in1
-rw-r--r--units/systemd-importd.service.in1
-rw-r--r--units/systemd-journal-gatewayd.service.in1
-rw-r--r--units/systemd-journal-remote.service.in1
-rw-r--r--units/systemd-journal-upload.service.in1
-rw-r--r--units/systemd-journald.service.in1
-rw-r--r--units/systemd-localed.service.in1
-rw-r--r--units/systemd-logind.service.in1
-rw-r--r--units/systemd-machined.service.in1
-rw-r--r--units/systemd-networkd.service.in1
-rw-r--r--units/systemd-resolved.service.in1
-rw-r--r--units/systemd-timedated.service.in1
-rw-r--r--units/systemd-timesyncd.service.in1
13 files changed, 13 insertions, 0 deletions
diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index cc88ecd0db..259b451cbd 100644
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -14,6 +14,7 @@ Documentation=http://www.freedesktop.org/wiki/Software/systemd/hostnamed
ExecStart=@rootlibexecdir@/systemd-hostnamed
BusName=org.freedesktop.hostname1
CapabilityBoundingSet=CAP_SYS_ADMIN
+SecureBits=noroot noroot-locked
WatchdogSec=1min
PrivateTmp=yes
PrivateDevices=yes
diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in
index 26759ea0fb..189c763804 100644
--- a/units/systemd-importd.service.in
+++ b/units/systemd-importd.service.in
@@ -14,6 +14,7 @@ ExecStart=@rootlibexecdir@/systemd-importd
BusName=org.freedesktop.import1
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_SYS_ADMIN CAP_SETPCAP
NoNewPrivileges=yes
+SecureBits=noroot noroot-locked
WatchdogSec=1min
PrivateTmp=yes
ProtectSystem=full
diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in
index 987220e554..f15a37f9d1 100644
--- a/units/systemd-journal-gatewayd.service.in
+++ b/units/systemd-journal-gatewayd.service.in
@@ -11,6 +11,7 @@ Requires=systemd-journal-gatewayd.socket
[Service]
ExecStart=@rootlibexecdir@/systemd-journal-gatewayd
+SecureBits=noroot noroot-locked
User=systemd-journal-gateway
Group=systemd-journal-gateway
SupplementaryGroups=systemd-journal
diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in
index 4a898d62f3..afa35e6e6b 100644
--- a/units/systemd-journal-remote.service.in
+++ b/units/systemd-journal-remote.service.in
@@ -13,6 +13,7 @@ Requires=systemd-journal-remote.socket
ExecStart=@rootlibexecdir@/systemd-journal-remote \
--listen-https=-3 \
--output=/var/log/journal/remote/
+SecureBits=noroot noroot-locked
User=systemd-journal-remote
Group=systemd-journal-remote
PrivateTmp=yes
diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in
index b2e3c769cc..f8524ca227 100644
--- a/units/systemd-journal-upload.service.in
+++ b/units/systemd-journal-upload.service.in
@@ -12,6 +12,7 @@ After=network.target
[Service]
ExecStart=@rootlibexecdir@/systemd-journal-upload \
--save-state
+SecureBits=noroot noroot-locked
User=systemd-journal-upload
PrivateTmp=yes
PrivateDevices=yes
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index a3540c65d2..b48e4ad1aa 100644
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -22,6 +22,7 @@ RestartSec=0
NotifyAccess=all
StandardOutput=null
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
+SecureBits=noroot noroot-locked
WatchdogSec=1min
FileDescriptorStoreMax=1024
diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
index bfa097844f..d2fbf301de 100644
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -14,6 +14,7 @@ Documentation=http://www.freedesktop.org/wiki/Software/systemd/localed
ExecStart=@rootlibexecdir@/systemd-localed
BusName=org.freedesktop.locale1
CapabilityBoundingSet=
+SecureBits=noroot noroot-locked
WatchdogSec=1min
PrivateTmp=yes
PrivateDevices=yes
diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index f087e99ce2..471278aa1b 100644
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -24,6 +24,7 @@ Restart=always
RestartSec=0
BusName=org.freedesktop.login1
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG
+SecureBits=noroot noroot-locked
WatchdogSec=1min
# Increase the default a bit in order to allow many simultaneous
diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
index 15f34d9db7..0cb823e60e 100644
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -16,6 +16,7 @@ After=machine.slice
ExecStart=@rootlibexecdir@/systemd-machined
BusName=org.freedesktop.machine1
CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH
+SecureBits=noroot noroot-locked
WatchdogSec=1min
PrivateTmp=yes
PrivateDevices=yes
diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
index 5a91b8e499..057cc8cc46 100644
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -23,6 +23,7 @@ Restart=on-failure
RestartSec=0
ExecStart=@rootlibexecdir@/systemd-networkd
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
+SecureBits=noroot noroot-locked
ProtectSystem=full
ProtectHome=yes
WatchdogSec=1min
diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
index b643da9a73..00967e3860 100644
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@@ -21,6 +21,7 @@ Restart=always
RestartSec=0
ExecStart=@rootlibexecdir@/systemd-resolved
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
+SecureBits=noroot noroot-locked
ProtectSystem=full
ProtectHome=yes
WatchdogSec=1min
diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index fe5ccb4601..9083e28d54 100644
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -14,6 +14,7 @@ Documentation=http://www.freedesktop.org/wiki/Software/systemd/timedated
ExecStart=@rootlibexecdir@/systemd-timedated
BusName=org.freedesktop.timedate1
CapabilityBoundingSet=CAP_SYS_TIME
+SecureBits=noroot noroot-locked
WatchdogSec=1min
PrivateTmp=yes
ProtectSystem=yes
diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index 39edafc8d2..bc7aa26a9b 100644
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -23,6 +23,7 @@ Restart=always
RestartSec=0
ExecStart=@rootlibexecdir@/systemd-timesyncd
CapabilityBoundingSet=CAP_SYS_TIME CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
+SecureBits=noroot noroot-locked
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=full