From: Luca Boccassi Date: Thu, 12 Dec 2024 11:48:52 +0000 (+0000) Subject: units: use PrivateTmp=disconnected instead of 'yes' if DefaultDependencies=no X-Git-Tag: v258-rc1~1881 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1ca315be0097bccc9ff55e09ac339a48fdb9a040;p=thirdparty%2Fsystemd.git units: use PrivateTmp=disconnected instead of 'yes' if DefaultDependencies=no Avoids subtle race conditions such as the one described at #35582. Fixes #35582 --- diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in index fa3206d07b5..c74dc7a5a11 100644 --- a/units/systemd-coredump@.service.in +++ b/units/systemd-coredump@.service.in @@ -26,7 +26,7 @@ NoNewPrivileges=yes OOMScoreAdjust=500 PrivateDevices=yes PrivateNetwork=yes -PrivateTmp=yes +PrivateTmp=disconnected ProtectControlGroups=yes ProtectHome=read-only ProtectHostname=yes diff --git a/units/systemd-oomd.service.in b/units/systemd-oomd.service.in index 82bd6245f83..670d5e61408 100644 --- a/units/systemd-oomd.service.in +++ b/units/systemd-oomd.service.in @@ -37,7 +37,7 @@ MemoryLow=64M NoNewPrivileges=yes OOMScoreAdjust=-900 PrivateDevices=yes -PrivateTmp=yes +PrivateTmp=disconnected ProtectClock=yes ProtectHome=yes ProtectHostname=yes diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in index 4aa0788ac4e..e181b2528ae 100644 --- a/units/systemd-resolved.service.in +++ b/units/systemd-resolved.service.in @@ -29,7 +29,7 @@ LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes PrivateDevices=yes -PrivateTmp=yes +PrivateTmp=disconnected ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in index cf233fbffd4..835d6327e7a 100644 --- a/units/systemd-timesyncd.service.in +++ b/units/systemd-timesyncd.service.in @@ -31,7 +31,7 @@ LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes PrivateDevices=yes -PrivateTmp=yes +PrivateTmp=disconnected ProtectProc=invisible ProtectControlGroups=yes ProtectHome=yes