From 24da96a1bdd6fef2e23d7c23581d572209f8cca7 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 6 Aug 2020 14:50:38 +0200 Subject: units: turn on ProtectProc= wherever suitable --- units/systemd-hostnamed.service.in | 3 ++- units/systemd-journal-gatewayd.service.in | 3 ++- units/systemd-journal-remote.service.in | 3 ++- units/systemd-journal-upload.service.in | 3 ++- units/systemd-localed.service.in | 3 ++- units/systemd-logind.service.in | 4 ++-- units/systemd-networkd.service.in | 5 +++-- units/systemd-resolved.service.in | 3 ++- units/systemd-timedated.service.in | 3 ++- units/systemd-timesyncd.service.in | 3 ++- units/systemd-userdbd.service.in | 1 + 11 files changed, 22 insertions(+), 12 deletions(-) diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in index 1365d749ca..923f32f6db 100644 --- a/units/systemd-hostnamed.service.in +++ b/units/systemd-hostnamed.service.in @@ -23,11 +23,12 @@ NoNewPrivileges=yes PrivateDevices=yes PrivateNetwork=yes PrivateTmp=yes +ProtectProc=invisible ProtectControlGroups=yes ProtectHome=yes +ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes -ProtectKernelLogs=yes ProtectSystem=strict ReadWritePaths=/etc RestrictAddressFamilies=AF_UNIX diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in index 8071395e68..2436f2a2cf 100644 --- a/units/systemd-journal-gatewayd.service.in +++ b/units/systemd-journal-gatewayd.service.in @@ -19,12 +19,13 @@ LockPersonality=yes MemoryDenyWriteExecute=yes PrivateDevices=yes PrivateNetwork=yes +ProtectProc=invisible ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes +ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes -ProtectKernelLogs=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictNamespaces=yes RestrictRealtime=yes diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in index 334f030caa..82befc9912 100644 --- a/units/systemd-journal-remote.service.in +++ b/units/systemd-journal-remote.service.in @@ -21,13 +21,14 @@ NoNewPrivileges=yes PrivateDevices=yes PrivateNetwork=yes PrivateTmp=yes +ProtectProc=invisible ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes +ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes -ProtectKernelLogs=yes ProtectSystem=strict RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictNamespaces=yes diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in index 2f1cce8518..8b9a9ebdfb 100644 --- a/units/systemd-journal-upload.service.in +++ b/units/systemd-journal-upload.service.in @@ -19,12 +19,13 @@ ExecStart=@rootlibexecdir@/systemd-journal-upload --save-state LockPersonality=yes MemoryDenyWriteExecute=yes PrivateDevices=yes +ProtectProc=invisible ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes +ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes -ProtectKernelLogs=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictNamespaces=yes RestrictRealtime=yes diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in index 10ecff5184..69d25f6733 100644 --- a/units/systemd-localed.service.in +++ b/units/systemd-localed.service.in @@ -23,12 +23,13 @@ NoNewPrivileges=yes PrivateDevices=yes PrivateNetwork=yes PrivateTmp=yes +ProtectProc=invisible ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes +ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes -ProtectKernelLogs=yes ProtectSystem=strict ReadWritePaths=/etc RestrictAddressFamilies=AF_UNIX diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in index 0147b30e0d..ba1b9b791b 100644 --- a/units/systemd-logind.service.in +++ b/units/systemd-logind.service.in @@ -28,7 +28,6 @@ DeviceAllow=char-drm rw DeviceAllow=char-input rw DeviceAllow=char-tty rw DeviceAllow=char-vcs rw -# Make sure the DeviceAllow= lines above can work correctly when referenceing char-drm ExecStart=@rootlibexecdir@/systemd-logind FileDescriptorStoreMax=512 IPAddressDeny=any @@ -36,12 +35,13 @@ LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes PrivateTmp=yes +ProtectProc=invisible ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes -ProtectKernelModules=yes ProtectKernelLogs=yes +ProtectKernelModules=yes ProtectSystem=strict ReadWritePaths=/etc /run Restart=always diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in index 2673146841..6ccbb5a95d 100644 --- a/units/systemd-networkd.service.in +++ b/units/systemd-networkd.service.in @@ -26,13 +26,15 @@ ExecStart=!!@rootlibexecdir@/systemd-networkd LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes +ProtectProc=invisible ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes -ProtectKernelModules=yes ProtectKernelLogs=yes +ProtectKernelModules=yes ProtectSystem=strict Restart=on-failure +RestartKillSignal=SIGUSR2 RestartSec=0 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET AF_ALG RestrictNamespaces=yes @@ -44,7 +46,6 @@ SystemCallArchitectures=native SystemCallErrorNumber=EPERM SystemCallFilter=@system-service Type=notify -RestartKillSignal=SIGUSR2 User=systemd-network @SERVICE_WATCHDOG@ diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in index 5723f1c1e2..ecfc999a92 100644 --- a/units/systemd-resolved.service.in +++ b/units/systemd-resolved.service.in @@ -28,12 +28,13 @@ MemoryDenyWriteExecute=yes NoNewPrivileges=yes PrivateDevices=yes PrivateTmp=yes +ProtectProc=invisible ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes +ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes -ProtectKernelLogs=yes ProtectSystem=strict Restart=always RestartSec=0 diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in index 87859f4aef..2d51c0f893 100644 --- a/units/systemd-timedated.service.in +++ b/units/systemd-timedated.service.in @@ -22,12 +22,13 @@ LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes PrivateTmp=yes +ProtectProc=invisible ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes +ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes -ProtectKernelLogs=yes ProtectSystem=strict ReadWritePaths=/etc RestrictAddressFamilies=AF_UNIX diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in index 92ee94582c..e27c74fca1 100644 --- a/units/systemd-timesyncd.service.in +++ b/units/systemd-timesyncd.service.in @@ -27,12 +27,13 @@ MemoryDenyWriteExecute=yes NoNewPrivileges=yes PrivateDevices=yes PrivateTmp=yes +ProtectProc=invisible ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes +ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes -ProtectKernelLogs=yes ProtectSystem=strict Restart=always RestartSec=0 diff --git a/units/systemd-userdbd.service.in b/units/systemd-userdbd.service.in index 3b76705373..bbfd83a8f2 100644 --- a/units/systemd-userdbd.service.in +++ b/units/systemd-userdbd.service.in @@ -24,6 +24,7 @@ LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes PrivateDevices=yes +ProtectProc=invisible ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes -- cgit v1.2.3