summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2018-11-12 17:19:48 +0100
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2018-12-18 14:21:35 +0100
commit64d7f7b4a15f1534fb19fda6b601fec50783bee4 (patch)
tree1fa694aa51c8d848adeeb0dd991363d5595b059b
parentunits: sort [Service] sections alphabetically (diff)
downloadsystemd-64d7f7b4a15f1534fb19fda6b601fec50783bee4.tar.xz
systemd-64d7f7b4a15f1534fb19fda6b601fec50783bee4.zip
units: set NoNewPrivileges= for all long-running services
Previously, setting this option by default was problematic due to SELinux (as this would also prohibit the transition from PID1's label to the service's label). However, this restriction has since been lifted, hence let's start making use of this universally in our services. On SELinux system this change should be synchronized with a policy update that ensures that NNP-ful transitions from init_t to service labels is permitted. Fixes: #1219
Diffstat
-rw-r--r--units/systemd-coredump@.service.in1
-rw-r--r--units/systemd-hostnamed.service.in1
-rw-r--r--units/systemd-initctl.service.in1
-rw-r--r--units/systemd-journal-gatewayd.service.in1
-rw-r--r--units/systemd-journal-remote.service.in1
-rw-r--r--units/systemd-journal-upload.service.in1
-rw-r--r--units/systemd-journald.service.in1
-rw-r--r--units/systemd-localed.service.in1
-rw-r--r--units/systemd-logind.service.in1
-rw-r--r--units/systemd-machined.service.in1
-rw-r--r--units/systemd-networkd.service.in1
-rw-r--r--units/systemd-resolved.service.in1
-rw-r--r--units/systemd-rfkill.service.in1
-rw-r--r--units/systemd-timedated.service.in1
-rw-r--r--units/systemd-timesyncd.service.in1
15 files changed, 15 insertions, 0 deletions
diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
index 74dcf7fe06..ffcb5f36ca 100644
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@@ -22,6 +22,7 @@ IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
Nice=9
+NoNewPrivileges=yes
OOMScoreAdjust=500
PrivateDevices=yes
PrivateNetwork=yes
diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index 696d4e2e60..9c925e80d9 100644
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -19,6 +19,7 @@ ExecStart=@rootlibexecdir@/systemd-hostnamed
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
PrivateDevices=yes
PrivateNetwork=yes
PrivateTmp=yes
diff --git a/units/systemd-initctl.service.in b/units/systemd-initctl.service.in
index f48d673d58..c276283908 100644
--- a/units/systemd-initctl.service.in
+++ b/units/systemd-initctl.service.in
@@ -14,5 +14,6 @@ DefaultDependencies=no
[Service]
ExecStart=@rootlibexecdir@/systemd-initctl
+NoNewPrivileges=yes
NotifyAccess=all
SystemCallArchitectures=native
diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in
index 5ef4ee0058..ebc8bf9a25 100644
--- a/units/systemd-journal-gatewayd.service.in
+++ b/units/systemd-journal-gatewayd.service.in
@@ -17,6 +17,7 @@ DynamicUser=yes
ExecStart=@rootlibexecdir@/systemd-journal-gatewayd
LockPersonality=yes
MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
PrivateDevices=yes
PrivateNetwork=yes
ProtectControlGroups=yes
diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in
index ec1311da88..29a99aaec1 100644
--- a/units/systemd-journal-remote.service.in
+++ b/units/systemd-journal-remote.service.in
@@ -17,6 +17,7 @@ ExecStart=@rootlibexecdir@/systemd-journal-remote --listen-https=-3 --output=/va
LockPersonality=yes
LogsDirectory=journal/remote
MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
PrivateDevices=yes
PrivateNetwork=yes
PrivateTmp=yes
diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in
index a15744e1e8..92cd4e5259 100644
--- a/units/systemd-journal-upload.service.in
+++ b/units/systemd-journal-upload.service.in
@@ -18,6 +18,7 @@ DynamicUser=yes
ExecStart=@rootlibexecdir@/systemd-journal-upload --save-state
LockPersonality=yes
MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
PrivateDevices=yes
ProtectControlGroups=yes
ProtectHome=yes
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index 7b659d4b03..4684f095c0 100644
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -22,6 +22,7 @@ FileDescriptorStoreMax=4224
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
Restart=always
RestartSec=0
RestrictAddressFamilies=AF_UNIX AF_NETLINK
diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
index 7d40fb4897..01e0703d0e 100644
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -19,6 +19,7 @@ ExecStart=@rootlibexecdir@/systemd-localed
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
PrivateDevices=yes
PrivateNetwork=yes
PrivateTmp=yes
diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index 6b362ccdca..38a7f269ac 100644
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -27,6 +27,7 @@ FileDescriptorStoreMax=512
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
Restart=always
RestartSec=0
RestrictAddressFamilies=AF_UNIX AF_NETLINK
diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
index d90e71ae67..9f1476814d 100644
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -22,6 +22,7 @@ ExecStart=@rootlibexecdir@/systemd-machined
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
RestrictRealtime=yes
SystemCallArchitectures=native
diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
index f23bf227fb..472ef045de 100644
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -24,6 +24,7 @@ CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_N
ExecStart=!!@rootlibexecdir@/systemd-networkd
LockPersonality=yes
MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelModules=yes
diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
index d08842f0d4..3144b70063 100644
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@@ -25,6 +25,7 @@ CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
ExecStart=!!@rootlibexecdir@/systemd-resolved
LockPersonality=yes
MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectControlGroups=yes
diff --git a/units/systemd-rfkill.service.in b/units/systemd-rfkill.service.in
index 7447ed5b5b..3abb958310 100644
--- a/units/systemd-rfkill.service.in
+++ b/units/systemd-rfkill.service.in
@@ -18,6 +18,7 @@ Before=shutdown.target
[Service]
ExecStart=@rootlibexecdir@/systemd-rfkill
+NoNewPrivileges=yes
StateDirectory=systemd/rfkill
TimeoutSec=30s
Type=notify
diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index 1105f1a980..6d53024195 100644
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -19,6 +19,7 @@ ExecStart=@rootlibexecdir@/systemd-timedated
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index 8b99e92e01..03ade45d08 100644
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -24,6 +24,7 @@ CapabilityBoundingSet=CAP_SYS_TIME
ExecStart=!!@rootlibexecdir@/systemd-timesyncd
LockPersonality=yes
MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectControlGroups=yes
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-04 18:48:36 +0100