diff options
| author | Lennart Poettering <lennart@poettering.net> | 2017-02-09 10:58:28 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2017-02-09 16:12:03 +0100 |
| commit | c7fb922d6250543ba5462fa7a6ff03cc8f628e94 (patch) | |
| tree | d7f792739c369510c6a41e61414c85eb8773497e | |
| parent | 3c19d0b46bb05aef5dcaa2ce83c31b15ee8ae11b (diff) | |
units: switch on ProtectSystem=strict for our long running services
Let's step up the protection a notch
| -rw-r--r-- | units/systemd-coredump@.service.in | 3 | ||||
| -rw-r--r-- | units/systemd-hostnamed.service.in | 3 | ||||
| -rw-r--r-- | units/systemd-journal-gatewayd.service.in | 2 | ||||
| -rw-r--r-- | units/systemd-journal-remote.service.in | 3 | ||||
| -rw-r--r-- | units/systemd-journal-upload.service.in | 2 | ||||
| -rw-r--r-- | units/systemd-localed.service.in | 3 | ||||
| -rw-r--r-- | units/systemd-networkd.service.m4.in | 3 | ||||
| -rw-r--r-- | units/systemd-resolved.service.m4.in | 3 | ||||
| -rw-r--r-- | units/systemd-timedated.service.in | 3 | ||||
| -rw-r--r-- | units/systemd-timesyncd.service.in | 3 |
10 files changed, 18 insertions, 10 deletions
diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in index 8ae296ff2b..760769191c 100644 --- a/units/systemd-coredump@.service.in +++ b/units/systemd-coredump@.service.in @@ -20,6 +20,7 @@ ExecStart=-@rootlibexecdir@/systemd-coredump Nice=9 OOMScoreAdjust=500 PrivateNetwork=yes -ProtectSystem=full +ProtectSystem=strict RuntimeMaxSec=5min SystemCallArchitectures=native +ReadWritePaths=/var/lib/systemd/coredump diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in index 8a551403cf..6904785e45 100644 --- a/units/systemd-hostnamed.service.in +++ b/units/systemd-hostnamed.service.in @@ -18,7 +18,7 @@ CapabilityBoundingSet=CAP_SYS_ADMIN PrivateTmp=yes PrivateDevices=yes PrivateNetwork=yes -ProtectSystem=yes +ProtectSystem=strict ProtectHome=yes ProtectControlGroups=yes ProtectKernelTunables=yes @@ -28,3 +28,4 @@ RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io SystemCallArchitectures=native +ReadWritePaths=/etc diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in index 677cb2a04b..ecc5b56c9c 100644 --- a/units/systemd-journal-gatewayd.service.in +++ b/units/systemd-journal-gatewayd.service.in @@ -18,7 +18,7 @@ SupplementaryGroups=systemd-journal PrivateTmp=yes PrivateDevices=yes PrivateNetwork=yes -ProtectSystem=full +ProtectSystem=strict ProtectHome=yes ProtectControlGroups=yes ProtectKernelTunables=yes diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in index cab7778ddc..323e308871 100644 --- a/units/systemd-journal-remote.service.in +++ b/units/systemd-journal-remote.service.in @@ -18,7 +18,7 @@ WatchdogSec=3min PrivateTmp=yes PrivateDevices=yes PrivateNetwork=yes -ProtectSystem=full +ProtectSystem=strict ProtectHome=yes ProtectControlGroups=yes ProtectKernelTunables=yes @@ -27,6 +27,7 @@ RestrictRealtime=yes RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 SystemCallArchitectures=native +ReadWritePaths=/var/log/journal/remote [Install] Also=systemd-journal-remote.socket diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in index f539c7dc1f..d7e0b290e9 100644 --- a/units/systemd-journal-upload.service.in +++ b/units/systemd-journal-upload.service.in @@ -18,7 +18,7 @@ SupplementaryGroups=systemd-journal WatchdogSec=3min PrivateTmp=yes PrivateDevices=yes -ProtectSystem=full +ProtectSystem=strict ProtectHome=yes ProtectControlGroups=yes ProtectKernelTunables=yes diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in index 1b6c163ef4..d6441d9f5f 100644 --- a/units/systemd-localed.service.in +++ b/units/systemd-localed.service.in @@ -18,7 +18,7 @@ CapabilityBoundingSet= PrivateTmp=yes PrivateDevices=yes PrivateNetwork=yes -ProtectSystem=yes +ProtectSystem=strict ProtectHome=yes ProtectControlGroups=yes ProtectKernelTunables=yes @@ -28,3 +28,4 @@ RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io SystemCallArchitectures=native +ReadWritePaths=/etc diff --git a/units/systemd-networkd.service.m4.in b/units/systemd-networkd.service.m4.in index 4596d31d0f..153ddeb323 100644 --- a/units/systemd-networkd.service.m4.in +++ b/units/systemd-networkd.service.m4.in @@ -28,7 +28,7 @@ RestartSec=0 ExecStart=@rootlibexecdir@/systemd-networkd WatchdogSec=3min CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER -ProtectSystem=full +ProtectSystem=strict ProtectHome=yes ProtectControlGroups=yes MemoryDenyWriteExecute=yes @@ -36,6 +36,7 @@ RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io SystemCallArchitectures=native +ReadWritePaths=/run/systemd [Install] WantedBy=multi-user.target diff --git a/units/systemd-resolved.service.m4.in b/units/systemd-resolved.service.m4.in index dcacbdaeab..dfd2f4ad0a 100644 --- a/units/systemd-resolved.service.m4.in +++ b/units/systemd-resolved.service.m4.in @@ -27,7 +27,7 @@ WatchdogSec=3min CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_NET_RAW CAP_NET_BIND_SERVICE PrivateTmp=yes PrivateDevices=yes -ProtectSystem=full +ProtectSystem=strict ProtectHome=yes ProtectControlGroups=yes ProtectKernelTunables=yes @@ -36,6 +36,7 @@ RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io SystemCallArchitectures=native +ReadWritePaths=/run/systemd [Install] WantedBy=multi-user.target diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in index 26756d6e01..336a231290 100644 --- a/units/systemd-timedated.service.in +++ b/units/systemd-timedated.service.in @@ -16,7 +16,7 @@ BusName=org.freedesktop.timedate1 WatchdogSec=3min CapabilityBoundingSet=CAP_SYS_TIME PrivateTmp=yes -ProtectSystem=yes +ProtectSystem=strict ProtectHome=yes ProtectControlGroups=yes ProtectKernelTunables=yes @@ -26,3 +26,4 @@ RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io SystemCallArchitectures=native +ReadWritePaths=/etc diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in index 5eb3f2362f..41d41806c1 100644 --- a/units/systemd-timesyncd.service.in +++ b/units/systemd-timesyncd.service.in @@ -26,7 +26,7 @@ WatchdogSec=3min CapabilityBoundingSet=CAP_SYS_TIME CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER PrivateTmp=yes PrivateDevices=yes -ProtectSystem=full +ProtectSystem=strict ProtectHome=yes ProtectControlGroups=yes ProtectKernelTunables=yes @@ -36,6 +36,7 @@ RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io SystemCallArchitectures=native +ReadWritePaths=/var/lib/systemd [Install] WantedBy=sysinit.target |