summaryrefslogtreecommitdiff
path: root/units
diff options
context:
space:
mode:
Diffstat (limited to 'units')
-rw-r--r--units/emergency.service.in2
-rw-r--r--units/getty@.service.m46
-rw-r--r--units/rescue.service.in4
-rw-r--r--units/systemd-hostnamed.service.in2
-rw-r--r--units/systemd-importd.service.in2
-rw-r--r--units/systemd-journald.service.in2
-rw-r--r--units/systemd-localed.service.in2
-rw-r--r--units/systemd-logind.service.in2
-rw-r--r--units/systemd-machined.service.in2
-rw-r--r--units/systemd-networkd.service.m4.in2
-rw-r--r--units/systemd-nspawn@.service.in11
-rw-r--r--units/systemd-resolved.service.m4.in4
-rw-r--r--units/systemd-timedated.service.in2
-rw-r--r--units/systemd-timesyncd.service.in2
-rw-r--r--units/systemd-udevd.service.in1
-rw-r--r--units/tmp.mount.m42
16 files changed, 34 insertions, 14 deletions
diff --git a/units/emergency.service.in b/units/emergency.service.in
index 0de16f24e8..da68eb8faa 100644
--- a/units/emergency.service.in
+++ b/units/emergency.service.in
@@ -18,7 +18,7 @@ Before=shutdown.target
Environment=HOME=/root
WorkingDirectory=-/root
ExecStartPre=-/bin/plymouth --wait quit
-ExecStartPre=-/bin/echo -e 'Welcome to emergency mode! After logging in, type "journalctl -xb" to view\\nsystem logs, "systemctl reboot" to reboot, "systemctl default" or ^D to\\ntry again to boot into default mode.'
+ExecStartPre=-/bin/echo -e 'You are in emergency mode. After logging in, type "journalctl -xb" to view\\nsystem logs, "systemctl reboot" to reboot, "systemctl default" or ^D to\\ntry again to boot into default mode.'
ExecStart=-/bin/sh -c "@SULOGIN@; @SYSTEMCTL@ --job-mode=fail --no-block default"
Type=idle
StandardInput=tty-force
diff --git a/units/getty@.service.m4 b/units/getty@.service.m4
index 46164ab9d8..5b82c13fc5 100644
--- a/units/getty@.service.m4
+++ b/units/getty@.service.m4
@@ -20,6 +20,12 @@ After=rc-local.service
Before=getty.target
IgnoreOnIsolate=yes
+# IgnoreOnIsolate causes issues with sulogin, if someone isolates
+# rescue.target or starts rescue.service from multi-user.target or
+# graphical.target.
+Conflicts=rescue.service
+Before=rescue.service
+
# On systems without virtual consoles, don't start any getty. Note
# that serial gettys are covered by serial-getty@.service, not this
# unit.
diff --git a/units/rescue.service.in b/units/rescue.service.in
index 92553f61dd..5feff69c89 100644
--- a/units/rescue.service.in
+++ b/units/rescue.service.in
@@ -16,8 +16,8 @@ Before=shutdown.target
[Service]
Environment=HOME=/root
WorkingDirectory=-/root
-ExecStartPre=-/bin/plymouth quit
-ExecStartPre=-/bin/echo -e 'Welcome to rescue mode! After logging in, type "journalctl -xb" to view\\nsystem logs, "systemctl reboot" to reboot, "systemctl default" or ^D to\\nboot into default mode.'
+ExecStartPre=-/bin/plymouth --wait quit
+ExecStartPre=-/bin/echo -e 'You are in rescue mode. After logging in, type "journalctl -xb" to view\\nsystem logs, "systemctl reboot" to reboot, "systemctl default" or ^D to\\nboot into default mode.'
ExecStart=-/bin/sh -c "@SULOGIN@; @SYSTEMCTL@ --job-mode=fail --no-block default"
Type=idle
StandardInput=tty-force
diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index b7079e4a7c..0b03a589ea 100644
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -20,3 +20,5 @@ PrivateDevices=yes
PrivateNetwork=yes
ProtectSystem=yes
ProtectHome=yes
+MemoryDenyWriteExecute=yes
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in
index b74ad72cdc..0f5489e7e3 100644
--- a/units/systemd-importd.service.in
+++ b/units/systemd-importd.service.in
@@ -17,3 +17,5 @@ CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_
NoNewPrivileges=yes
WatchdogSec=3min
KillMode=mixed
+MemoryDenyWriteExecute=yes
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index 41bfde5be3..08ace8ae44 100644
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -24,6 +24,8 @@ StandardOutput=null
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
WatchdogSec=3min
FileDescriptorStoreMax=1024
+MemoryDenyWriteExecute=yes
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
# Increase the default a bit in order to allow many simultaneous
# services being run since we keep one fd open per service. Also, when
diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
index 9b13f901a3..1f3151c2b5 100644
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -20,3 +20,5 @@ PrivateDevices=yes
PrivateNetwork=yes
ProtectSystem=yes
ProtectHome=yes
+MemoryDenyWriteExecute=yes
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index ff049134ee..bee08d011f 100644
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -25,6 +25,8 @@ RestartSec=0
BusName=org.freedesktop.login1
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG
WatchdogSec=3min
+MemoryDenyWriteExecute=yes
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io
# Increase the default a bit in order to allow many simultaneous
# logins since we keep one fd open per session.
diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
index 685baab21d..dcf9f347b7 100644
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -17,6 +17,8 @@ ExecStart=@rootlibexecdir@/systemd-machined
BusName=org.freedesktop.machine1
CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD
WatchdogSec=3min
+MemoryDenyWriteExecute=yes
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io
# Note that machined cannot be placed in a mount namespace, since it
# needs access to the host's mount namespace in order to implement the
diff --git a/units/systemd-networkd.service.m4.in b/units/systemd-networkd.service.m4.in
index 27d4d58962..38d967d2d1 100644
--- a/units/systemd-networkd.service.m4.in
+++ b/units/systemd-networkd.service.m4.in
@@ -31,6 +31,8 @@ CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_N
ProtectSystem=full
ProtectHome=yes
WatchdogSec=3min
+MemoryDenyWriteExecute=yes
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
[Install]
WantedBy=multi-user.target
diff --git a/units/systemd-nspawn@.service.in b/units/systemd-nspawn@.service.in
index ea28941507..c8141639b6 100644
--- a/units/systemd-nspawn@.service.in
+++ b/units/systemd-nspawn@.service.in
@@ -20,20 +20,13 @@ RestartForceExitStatus=133
SuccessExitStatus=133
Slice=machine.slice
Delegate=yes
-TasksMax=8192
+TasksMax=16384
# Enforce a strict device policy, similar to the one nspawn configures
# when it allocates its own scope unit. Make sure to keep these
# policies in sync if you change them!
-DevicePolicy=strict
-DeviceAllow=/dev/null rwm
-DeviceAllow=/dev/zero rwm
-DeviceAllow=/dev/full rwm
-DeviceAllow=/dev/random rwm
-DeviceAllow=/dev/urandom rwm
-DeviceAllow=/dev/tty rwm
+DevicePolicy=closed
DeviceAllow=/dev/net/tun rwm
-DeviceAllow=/dev/pts/ptmx rw
DeviceAllow=char-pts rw
# nspawn itself needs access to /dev/loop-control and /dev/loop, to
diff --git a/units/systemd-resolved.service.m4.in b/units/systemd-resolved.service.m4.in
index 8e1c1dea79..15ab56a066 100644
--- a/units/systemd-resolved.service.m4.in
+++ b/units/systemd-resolved.service.m4.in
@@ -23,10 +23,12 @@ Type=notify
Restart=always
RestartSec=0
ExecStart=@rootlibexecdir@/systemd-resolved
-CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
+CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_NET_RAW CAP_NET_BIND_SERVICE
ProtectSystem=full
ProtectHome=yes
WatchdogSec=3min
+MemoryDenyWriteExecute=yes
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
[Install]
WantedBy=multi-user.target
diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index 0c9599db20..bc1795d747 100644
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -18,3 +18,5 @@ WatchdogSec=3min
PrivateTmp=yes
ProtectSystem=yes
ProtectHome=yes
+MemoryDenyWriteExecute=yes
+SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index a856dad709..df1e339196 100644
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -28,6 +28,8 @@ PrivateDevices=yes
ProtectSystem=full
ProtectHome=yes
WatchdogSec=3min
+MemoryDenyWriteExecute=yes
+SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
[Install]
WantedBy=sysinit.target
diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
index 79f28c87c6..67e4c5fcd7 100644
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@@ -24,3 +24,4 @@ ExecStart=@rootlibexecdir@/systemd-udevd
MountFlags=slave
KillMode=mixed
WatchdogSec=3min
+TasksMax=infinity
diff --git a/units/tmp.mount.m4 b/units/tmp.mount.m4
index 1448bd268a..0baecfd22f 100644
--- a/units/tmp.mount.m4
+++ b/units/tmp.mount.m4
@@ -19,4 +19,4 @@ After=swap.target
What=tmpfs
Where=/tmp
Type=tmpfs
-Options=mode=1777,strictatime
+Options=mode=1777,strictatime,nosuid,nodev
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-08-31 19:30:08 +0000