]> git.ipfire.org Git - thirdparty/systemd.git/commitdiff
projects / thirdparty / systemd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b6c7278)
units: lock down coredump service a bit
authorLennart Poettering <lennart@poettering.net>
Thu, 9 Feb 2017 10:17:45 +0000 (11:17 +0100)
committerLennart Poettering <lennart@poettering.net>
Thu, 9 Feb 2017 15:12:03 +0000 (16:12 +0100)
Dissecting a coredump is possibly risky and might take a while, hence
lock down the unit as much as we can.

units/systemd-coredump@.service.in patch | blob | blame | history

diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
index f12b28d6a6ba0c8f38e60c3400d8dfbfa14e851f..18f2d2d605c6344446e04d8471b321b2f7278176 100644 (file)
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@@ -19,9 +19,19 @@ Before=shutdown.target
 ExecStart=-@rootlibexecdir@/systemd-coredump
 Nice=9
 OOMScoreAdjust=500
+RuntimeMaxSec=5min
+PrivateTmp=yes
+PrivateDevices=yes
 PrivateNetwork=yes
 ProtectSystem=strict
-RuntimeMaxSec=5min
+ProtectHome=yes
+ProtectControlGroups=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictNamespaces=yes
+RestrictAddressFamilies=AF_UNIX
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
 ReadWritePaths=/var/lib/systemd/coredump
-ProtectKernelModules=yes
Unnamed repository; edit this file 'description' to name the repository.