From 3c19d0b46bb05aef5dcaa2ce83c31b15ee8ae11b Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 9 Feb 2017 10:28:23 +0100 Subject: units: restrict namespace for a good number of our own services Basically, we turn it on for most long-running services, with the exception of machined (whose child processes need to join containers here and there), and importd (which sandboxes tar in a CLONE_NEWNET namespace). machined is left unrestricted, and importd is restricted to use only "net" --- units/systemd-journal-remote.service.in | 1 + 1 file changed, 1 insertion(+) (limited to 'units/systemd-journal-remote.service.in') diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in index bc384b8382..cab7778ddc 100644 --- a/units/systemd-journal-remote.service.in +++ b/units/systemd-journal-remote.service.in @@ -24,6 +24,7 @@ ProtectControlGroups=yes ProtectKernelTunables=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes +RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 SystemCallArchitectures=native -- cgit v1.2.3-54-g00ecf