From 6a716208b346b742053cfd01e76f76fb27c4ea47 Mon Sep 17 00:00:00 2001
From: Topi Miettinen <toiwoton@gmail.com>
Date: Wed, 11 Feb 2015 18:32:14 +0200
Subject: units: add SecureBits

No setuid programs are expected to be executed, so add
SecureBits=noroot noroot-locked
to unit files.
---
 units/systemd-journald.service.in | 1 +
 1 file changed, 1 insertion(+)

(limited to 'units/systemd-journald.service.in')

diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index a3540c65d2..b48e4ad1aa 100644
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -22,6 +22,7 @@ RestartSec=0
 NotifyAccess=all
 StandardOutput=null
 CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
+SecureBits=noroot noroot-locked
 WatchdogSec=1min
 FileDescriptorStoreMax=1024
 
-- 
cgit v1.2.3