]> git.ipfire.org Git - thirdparty/systemd.git/commitdiff
projects / thirdparty / systemd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1f9ac68)
units: tighten system call filters a bit
authorLennart Poettering <lennart@poettering.net>
Fri, 10 Jun 2016 16:00:12 +0000 (18:00 +0200)
committerLennart Poettering <lennart@poettering.net>
Mon, 13 Jun 2016 14:25:54 +0000 (16:25 +0200)
Take away kernel keyring access, CPU emulation system calls and various debug
system calls from the various daemons we have.

units/systemd-hostnamed.service.in patch | blob | blame | history
units/systemd-importd.service.in patch | blob | blame | history
units/systemd-journald.service.in patch | blob | blame | history
units/systemd-localed.service.in patch | blob | blame | history
units/systemd-logind.service.in patch | blob | blame | history
units/systemd-machined.service.in patch | blob | blame | history
units/systemd-networkd.service.m4.in patch | blob | blame | history
units/systemd-resolved.service.m4.in patch | blob | blame | history
units/systemd-timedated.service.in patch | blob | blame | history
units/systemd-timesyncd.service.in patch | blob | blame | history

diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index d8f18bed53692b6784c7c54c9a69ddab467daddf..0b03a589ea5a31bc2f0631e7e3922c66b08ce3a6 100644 (file)
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -21,4 +21,4 @@ PrivateNetwork=yes
 ProtectSystem=yes
 ProtectHome=yes
 MemoryDenyWriteExecute=yes
-SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in
index a3d1a1519b5e58c825a3cb093e700e355b0d99db..0f5489e7e3ca028c32315c895fd92f5ef6bb51e4 100644 (file)
--- a/units/systemd-importd.service.in
+++ b/units/systemd-importd.service.in
@@ -18,4 +18,4 @@ NoNewPrivileges=yes
 WatchdogSec=3min
 KillMode=mixed
 MemoryDenyWriteExecute=yes
-SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index 58808d4f8ce70835fc35f1a00db82a622d51933a..08ace8ae44eac9611fa1cbd3384c2e3f087d75bd 100644 (file)
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -25,7 +25,7 @@ CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG C
 WatchdogSec=3min
 FileDescriptorStoreMax=1024
 MemoryDenyWriteExecute=yes
-SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
 
 # Increase the default a bit in order to allow many simultaneous
 # services being run since we keep one fd open per service. Also, when
diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
index 5efa6775489b0261a9d116fba3750c087597cdaf..1f3151c2b5a763faab3404503d7428e39ba32f47 100644 (file)
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -21,4 +21,4 @@ PrivateNetwork=yes
 ProtectSystem=yes
 ProtectHome=yes
 MemoryDenyWriteExecute=yes
-SystemCallFilter=~@clock @module @mount @obsolete @privileged @raw-io ptrace
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index a9598760e293753fe4324631864ab261225903bc..bee08d011f4f89f822b743722b8074ffdf494855 100644 (file)
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -26,7 +26,7 @@ BusName=org.freedesktop.login1
 CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG
 WatchdogSec=3min
 MemoryDenyWriteExecute=yes
-SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io
 
 # Increase the default a bit in order to allow many simultaneous
 # logins since we keep one fd open per session.
diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
index 82dca0533829bc82646b0431a4b0291e6c64ac6d..cd4a097f5a3ec6fa35d72de6946394483ad1bbfe 100644 (file)
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -18,7 +18,7 @@ BusName=org.freedesktop.machine1
 CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD
 WatchdogSec=3min
 MemoryDenyWriteExecute=yes
-SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
 
 # Note that machined cannot be placed in a mount namespace, since it
 # needs access to the host's mount namespace in order to implement the
diff --git a/units/systemd-networkd.service.m4.in b/units/systemd-networkd.service.m4.in
index 3feb2b84f5ae18e66bdd7268c99126c7bd46184c..38d967d2d1c3e2bec82619c81a1b68824d0a0917 100644 (file)
--- a/units/systemd-networkd.service.m4.in
+++ b/units/systemd-networkd.service.m4.in
@@ -32,7 +32,7 @@ ProtectSystem=full
 ProtectHome=yes
 WatchdogSec=3min
 MemoryDenyWriteExecute=yes
-SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
 
 [Install]
 WantedBy=multi-user.target
diff --git a/units/systemd-resolved.service.m4.in b/units/systemd-resolved.service.m4.in
index 4a94f747e2e99f9ef4d743371221171960863c92..a9cc3988edb8eba210104388970c4144c134ee3d 100644 (file)
--- a/units/systemd-resolved.service.m4.in
+++ b/units/systemd-resolved.service.m4.in
@@ -28,7 +28,7 @@ ProtectSystem=full
 ProtectHome=yes
 WatchdogSec=3min
 MemoryDenyWriteExecute=yes
-SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
 
 [Install]
 WantedBy=multi-user.target
diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index 1bdbe65aad6f5f352865812ee048762052142f34..bc1795d7470530b3f75efe40620f1b3b2a7031c4 100644 (file)
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -19,4 +19,4 @@ PrivateTmp=yes
 ProtectSystem=yes
 ProtectHome=yes
 MemoryDenyWriteExecute=yes
-SystemCallFilter=~@module @mount @obsolete @raw-io ptrace
+SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index 8c86021f5ee84f0fdffd029ebdee0b585c5af066..df1e339196cb42d736bef877cd363b075ba593ff 100644 (file)
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -29,7 +29,7 @@ ProtectSystem=full
 ProtectHome=yes
 WatchdogSec=3min
 MemoryDenyWriteExecute=yes
-SystemCallFilter=~@module @mount @obsolete @raw-io ptrace
+SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
 
 [Install]
 WantedBy=sysinit.target
Unnamed repository; edit this file 'description' to name the repository.