summaryrefslogtreecommitdiffstats
path: root/units
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2018-10-05 17:41:56 +0200
committerGitHub <noreply@github.com>2018-10-05 17:41:56 +0200
commitdacd72362034651711041ede29397c0616ec39f7 (patch)
treec738cc5abdae4cdfec22bf6dd3cca831fcfd4ac0 /units
parentman/systemd.exec: MountFlags=shared behaviour was changed (fixed?) (diff)
parentbus-util: drop now-unused functions (diff)
downloadsystemd-dacd72362034651711041ede29397c0616ec39f7.tar.xz
systemd-dacd72362034651711041ede29397c0616ec39f7.zip
Merge pull request #10117 from keszybz/undynamicify
Set DynamicUser=no for networkd, resolved, timesyncd
Diffstat (limited to 'units')
-rw-r--r--units/systemd-networkd.service.in4
-rw-r--r--units/systemd-resolved.service.in5
-rw-r--r--units/systemd-timesyncd.service.in5
3 files changed, 8 insertions, 6 deletions
diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
index 371ab3a9cf..65d3e2a660 100644
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -13,7 +13,7 @@ Documentation=man:systemd-networkd.service(8)
ConditionCapability=CAP_NET_ADMIN
DefaultDependencies=no
# systemd-udevd.service can be dropped once tuntap is moved to netlink
-After=systemd-udevd.service network-pre.target systemd-sysctl.service
+After=systemd-udevd.service network-pre.target systemd-sysusers.service systemd-sysctl.service
Before=network.target multi-user.target shutdown.target
Conflicts=shutdown.target
Wants=network.target
@@ -25,9 +25,9 @@ RestartSec=0
ExecStart=!!@rootlibexecdir@/systemd-networkd
WatchdogSec=3min
User=systemd-network
-DynamicUser=yes
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
+ProtectSystem=strict
ProtectHome=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
index 9982ecebff..ef5398cbf0 100644
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@@ -14,7 +14,7 @@ Documentation=https://www.freedesktop.org/wiki/Software/systemd/resolved
Documentation=https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers
Documentation=https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients
DefaultDependencies=no
-After=systemd-networkd.service
+After=systemd-sysusers.service systemd-networkd.service
Before=network.target nss-lookup.target shutdown.target
Conflicts=shutdown.target
Wants=nss-lookup.target
@@ -26,10 +26,11 @@ RestartSec=0
ExecStart=!!@rootlibexecdir@/systemd-resolved
WatchdogSec=3min
User=systemd-resolve
-DynamicUser=yes
CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
+PrivateTmp=yes
PrivateDevices=yes
+ProtectSystem=strict
ProtectHome=yes
ProtectControlGroups=yes
ProtectKernelTunables=yes
diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index 4a490b6e16..12f918dd11 100644
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -13,7 +13,7 @@ Documentation=man:systemd-timesyncd.service(8)
ConditionCapability=CAP_SYS_TIME
ConditionVirtualization=!container
DefaultDependencies=no
-After=systemd-remount-fs.service
+After=systemd-remount-fs.service systemd-sysusers.service
Before=time-sync.target sysinit.target shutdown.target
Conflicts=shutdown.target
Wants=time-sync.target
@@ -25,10 +25,11 @@ RestartSec=0
ExecStart=!!@rootlibexecdir@/systemd-timesyncd
WatchdogSec=3min
User=systemd-timesync
-DynamicUser=yes
CapabilityBoundingSet=CAP_SYS_TIME
AmbientCapabilities=CAP_SYS_TIME
+PrivateTmp=yes
PrivateDevices=yes
+ProtectSystem=strict
ProtectHome=yes
ProtectControlGroups=yes
ProtectKernelTunables=yes