summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2017-02-09 11:09:50 +0100
committerLennart Poettering <lennart@poettering.net>2017-02-09 16:12:03 +0100
commitb6c7278c38b5c240d8435ab6293838ee5de827cb (patch)
tree6bc091bdabe57219ce6a0868df34528e66651395
parentunits: switch on ProtectSystem=strict for our long running services (diff)
downloadsystemd-b6c7278c38b5c240d8435ab6293838ee5de827cb.tar.xz
systemd-b6c7278c38b5c240d8435ab6293838ee5de827cb.zip
units: turn on ProtectKernelModules= for most long-running services
-rw-r--r--units/systemd-coredump@.service.in1
-rw-r--r--units/systemd-hostnamed.service.in1
-rw-r--r--units/systemd-journal-gatewayd.service.in1
-rw-r--r--units/systemd-journal-remote.service.in1
-rw-r--r--units/systemd-journal-upload.service.in1
-rw-r--r--units/systemd-localed.service.in1
-rw-r--r--units/systemd-networkd.service.m4.in1
-rw-r--r--units/systemd-resolved.service.m4.in1
-rw-r--r--units/systemd-timedated.service.in1
-rw-r--r--units/systemd-timesyncd.service.in1
10 files changed, 10 insertions, 0 deletions
diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
index 760769191c..f12b28d6a6 100644
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@@ -24,3 +24,4 @@ ProtectSystem=strict
RuntimeMaxSec=5min
SystemCallArchitectures=native
ReadWritePaths=/var/lib/systemd/coredump
+ProtectKernelModules=yes
diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index 6904785e45..85410adc72 100644
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -22,6 +22,7 @@ ProtectSystem=strict
ProtectHome=yes
ProtectControlGroups=yes
ProtectKernelTunables=yes
+ProtectKernelModules=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictNamespaces=yes
diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in
index ecc5b56c9c..99099967e7 100644
--- a/units/systemd-journal-gatewayd.service.in
+++ b/units/systemd-journal-gatewayd.service.in
@@ -22,6 +22,7 @@ ProtectSystem=strict
ProtectHome=yes
ProtectControlGroups=yes
ProtectKernelTunables=yes
+ProtectKernelModules=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictNamespaces=yes
diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in
index 323e308871..5404bf1c03 100644
--- a/units/systemd-journal-remote.service.in
+++ b/units/systemd-journal-remote.service.in
@@ -22,6 +22,7 @@ ProtectSystem=strict
ProtectHome=yes
ProtectControlGroups=yes
ProtectKernelTunables=yes
+ProtectKernelModules=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictNamespaces=yes
diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in
index d7e0b290e9..b9eab21542 100644
--- a/units/systemd-journal-upload.service.in
+++ b/units/systemd-journal-upload.service.in
@@ -22,6 +22,7 @@ ProtectSystem=strict
ProtectHome=yes
ProtectControlGroups=yes
ProtectKernelTunables=yes
+ProtectKernelModules=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictNamespaces=yes
diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
index d6441d9f5f..a41e30bfdf 100644
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -22,6 +22,7 @@ ProtectSystem=strict
ProtectHome=yes
ProtectControlGroups=yes
ProtectKernelTunables=yes
+ProtectKernelModules=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictNamespaces=yes
diff --git a/units/systemd-networkd.service.m4.in b/units/systemd-networkd.service.m4.in
index 153ddeb323..d33deb97b6 100644
--- a/units/systemd-networkd.service.m4.in
+++ b/units/systemd-networkd.service.m4.in
@@ -31,6 +31,7 @@ CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_N
ProtectSystem=strict
ProtectHome=yes
ProtectControlGroups=yes
+ProtectKernelModules=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
diff --git a/units/systemd-resolved.service.m4.in b/units/systemd-resolved.service.m4.in
index dfd2f4ad0a..08f0a85aea 100644
--- a/units/systemd-resolved.service.m4.in
+++ b/units/systemd-resolved.service.m4.in
@@ -31,6 +31,7 @@ ProtectSystem=strict
ProtectHome=yes
ProtectControlGroups=yes
ProtectKernelTunables=yes
+ProtectKernelModules=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index 336a231290..2881e122dc 100644
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -20,6 +20,7 @@ ProtectSystem=strict
ProtectHome=yes
ProtectControlGroups=yes
ProtectKernelTunables=yes
+ProtectKernelModules=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictNamespaces=yes
diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index 41d41806c1..ab48a7aa30 100644
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -30,6 +30,7 @@ ProtectSystem=strict
ProtectHome=yes
ProtectControlGroups=yes
ProtectKernelTunables=yes
+ProtectKernelModules=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictNamespaces=yes