units: turn on ProtectProc= wherever suitable

author: Lennart Poettering <lennart@poettering.net> 2020-08-06 14:50:38 +0200
committer: Lennart Poettering <lennart@poettering.net> 2020-08-24 20:11:14 +0200
commit: 24da96a1bdd6fef2e23d7c23581d572209f8cca7 (patch)
tree: e92747a7b8c7e130bc77dcef28b69d69da594659 /units/systemd-logind.service.in
parent: analyze-security: check for ProtectProc=/ProcSubset= (diff)
download: systemd-24da96a1bdd6fef2e23d7c23581d572209f8cca7.tar.xz
systemd-24da96a1bdd6fef2e23d7c23581d572209f8cca7.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index 0147b30e0d..ba1b9b791b 100644
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -28,7 +28,6 @@ DeviceAllow=char-drm rw
 DeviceAllow=char-input rw
 DeviceAllow=char-tty rw
 DeviceAllow=char-vcs rw
-# Make sure the DeviceAllow= lines above can work correctly when referenceing char-drm
 ExecStart=@rootlibexecdir@/systemd-logind
 FileDescriptorStoreMax=512
 IPAddressDeny=any
@@ -36,12 +35,13 @@ LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 PrivateTmp=yes
+ProtectProc=invisible
 ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectHostname=yes
-ProtectKernelModules=yes
 ProtectKernelLogs=yes
+ProtectKernelModules=yes
 ProtectSystem=strict
 ReadWritePaths=/etc /run
 Restart=always
author	Lennart Poettering <lennart@poettering.net>	2020-08-06 14:50:38 +0200
committer	Lennart Poettering <lennart@poettering.net>	2020-08-24 20:11:14 +0200
commit	24da96a1bdd6fef2e23d7c23581d572209f8cca7 (patch)
tree	e92747a7b8c7e130bc77dcef28b69d69da594659 /units/systemd-logind.service.in
parent	analyze-security: check for ProtectProc=/ProcSubset= (diff)
download	systemd-24da96a1bdd6fef2e23d7c23581d572209f8cca7.tar.xz systemd-24da96a1bdd6fef2e23d7c23581d572209f8cca7.zip