summaryrefslogtreecommitdiffstats
path: root/units/systemd-hostnamed.service.in
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2017-02-09 10:28:23 +0100
committerLennart Poettering <lennart@poettering.net>2017-02-09 16:12:03 +0100
commit3c19d0b46bb05aef5dcaa2ce83c31b15ee8ae11b (patch)
treeb2219c2de686c483c19b857993ed5a1c9edac879 /units/systemd-hostnamed.service.in
parentunits: set SystemCallArchitectures=native on all our long-running services (diff)
downloadsystemd-3c19d0b46bb05aef5dcaa2ce83c31b15ee8ae11b.tar.xz
systemd-3c19d0b46bb05aef5dcaa2ce83c31b15ee8ae11b.zip
units: restrict namespace for a good number of our own services
Basically, we turn it on for most long-running services, with the exception of machined (whose child processes need to join containers here and there), and importd (which sandboxes tar in a CLONE_NEWNET namespace). machined is left unrestricted, and importd is restricted to use only "net"
Diffstat (limited to 'units/systemd-hostnamed.service.in')
-rw-r--r--units/systemd-hostnamed.service.in1
1 files changed, 1 insertions, 0 deletions
diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index 89d942b072..8a551403cf 100644
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -24,6 +24,7 @@ ProtectControlGroups=yes
ProtectKernelTunables=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
+RestrictNamespaces=yes
RestrictAddressFamilies=AF_UNIX
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
SystemCallArchitectures=native