From 24da96a1bdd6fef2e23d7c23581d572209f8cca7 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 6 Aug 2020 14:50:38 +0200
Subject: units: turn on ProtectProc= wherever suitable

---
 units/systemd-logind.service.in | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'units/systemd-logind.service.in')

diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index 0147b30e0d..ba1b9b791b 100644
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -28,7 +28,6 @@ DeviceAllow=char-drm rw
 DeviceAllow=char-input rw
 DeviceAllow=char-tty rw
 DeviceAllow=char-vcs rw
-# Make sure the DeviceAllow= lines above can work correctly when referenceing char-drm
 ExecStart=@rootlibexecdir@/systemd-logind
 FileDescriptorStoreMax=512
 IPAddressDeny=any
@@ -36,12 +35,13 @@ LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 PrivateTmp=yes
+ProtectProc=invisible
 ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectHostname=yes
-ProtectKernelModules=yes
 ProtectKernelLogs=yes
+ProtectKernelModules=yes
 ProtectSystem=strict
 ReadWritePaths=/etc /run
 Restart=always
-- 
cgit v1.2.3