From: Lennart Poettering Date: Mon, 12 Nov 2018 16:19:48 +0000 (+0100) Subject: units: set NoNewPrivileges= for all long-running services X-Git-Tag: v240~22^2~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=64d7f7b4a15f1534fb19fda6b601fec50783bee4;p=thirdparty%2Fsystemd.git units: set NoNewPrivileges= for all long-running services Previously, setting this option by default was problematic due to SELinux (as this would also prohibit the transition from PID1's label to the service's label). However, this restriction has since been lifted, hence let's start making use of this universally in our services. On SELinux system this change should be synchronized with a policy update that ensures that NNP-ful transitions from init_t to service labels is permitted. Fixes: #1219 --- diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in index 74dcf7fe06b..ffcb5f36ca6 100644 --- a/units/systemd-coredump@.service.in +++ b/units/systemd-coredump@.service.in @@ -22,6 +22,7 @@ IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes Nice=9 +NoNewPrivileges=yes OOMScoreAdjust=500 PrivateDevices=yes PrivateNetwork=yes diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in index 696d4e2e60f..9c925e80d9f 100644 --- a/units/systemd-hostnamed.service.in +++ b/units/systemd-hostnamed.service.in @@ -19,6 +19,7 @@ ExecStart=@rootlibexecdir@/systemd-hostnamed IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes +NoNewPrivileges=yes PrivateDevices=yes PrivateNetwork=yes PrivateTmp=yes diff --git a/units/systemd-initctl.service.in b/units/systemd-initctl.service.in index f48d673d587..c2762839084 100644 --- a/units/systemd-initctl.service.in +++ b/units/systemd-initctl.service.in @@ -14,5 +14,6 @@ DefaultDependencies=no [Service] ExecStart=@rootlibexecdir@/systemd-initctl +NoNewPrivileges=yes NotifyAccess=all SystemCallArchitectures=native diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in index 5ef4ee0058c..ebc8bf9a254 100644 --- a/units/systemd-journal-gatewayd.service.in +++ b/units/systemd-journal-gatewayd.service.in @@ -17,6 +17,7 @@ DynamicUser=yes ExecStart=@rootlibexecdir@/systemd-journal-gatewayd LockPersonality=yes MemoryDenyWriteExecute=yes +NoNewPrivileges=yes PrivateDevices=yes PrivateNetwork=yes ProtectControlGroups=yes diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in index ec1311da88e..29a99aaec1a 100644 --- a/units/systemd-journal-remote.service.in +++ b/units/systemd-journal-remote.service.in @@ -17,6 +17,7 @@ ExecStart=@rootlibexecdir@/systemd-journal-remote --listen-https=-3 --output=/va LockPersonality=yes LogsDirectory=journal/remote MemoryDenyWriteExecute=yes +NoNewPrivileges=yes PrivateDevices=yes PrivateNetwork=yes PrivateTmp=yes diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in index a15744e1e8f..92cd4e52592 100644 --- a/units/systemd-journal-upload.service.in +++ b/units/systemd-journal-upload.service.in @@ -18,6 +18,7 @@ DynamicUser=yes ExecStart=@rootlibexecdir@/systemd-journal-upload --save-state LockPersonality=yes MemoryDenyWriteExecute=yes +NoNewPrivileges=yes PrivateDevices=yes ProtectControlGroups=yes ProtectHome=yes diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in index 7b659d4b03c..4684f095c07 100644 --- a/units/systemd-journald.service.in +++ b/units/systemd-journald.service.in @@ -22,6 +22,7 @@ FileDescriptorStoreMax=4224 IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes +NoNewPrivileges=yes Restart=always RestartSec=0 RestrictAddressFamilies=AF_UNIX AF_NETLINK diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in index 7d40fb4897d..01e0703d0e2 100644 --- a/units/systemd-localed.service.in +++ b/units/systemd-localed.service.in @@ -19,6 +19,7 @@ ExecStart=@rootlibexecdir@/systemd-localed IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes +NoNewPrivileges=yes PrivateDevices=yes PrivateNetwork=yes PrivateTmp=yes diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in index 6b362ccdca6..38a7f269aca 100644 --- a/units/systemd-logind.service.in +++ b/units/systemd-logind.service.in @@ -27,6 +27,7 @@ FileDescriptorStoreMax=512 IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes +NoNewPrivileges=yes Restart=always RestartSec=0 RestrictAddressFamilies=AF_UNIX AF_NETLINK diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in index d90e71ae676..9f1476814df 100644 --- a/units/systemd-machined.service.in +++ b/units/systemd-machined.service.in @@ -22,6 +22,7 @@ ExecStart=@rootlibexecdir@/systemd-machined IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes +NoNewPrivileges=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 RestrictRealtime=yes SystemCallArchitectures=native diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in index f23bf227fb6..472ef045de9 100644 --- a/units/systemd-networkd.service.in +++ b/units/systemd-networkd.service.in @@ -24,6 +24,7 @@ CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_N ExecStart=!!@rootlibexecdir@/systemd-networkd LockPersonality=yes MemoryDenyWriteExecute=yes +NoNewPrivileges=yes ProtectControlGroups=yes ProtectHome=yes ProtectKernelModules=yes diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in index d08842f0d43..3144b70063e 100644 --- a/units/systemd-resolved.service.in +++ b/units/systemd-resolved.service.in @@ -25,6 +25,7 @@ CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE ExecStart=!!@rootlibexecdir@/systemd-resolved LockPersonality=yes MemoryDenyWriteExecute=yes +NoNewPrivileges=yes PrivateDevices=yes PrivateTmp=yes ProtectControlGroups=yes diff --git a/units/systemd-rfkill.service.in b/units/systemd-rfkill.service.in index 7447ed5b5bf..3abb958310d 100644 --- a/units/systemd-rfkill.service.in +++ b/units/systemd-rfkill.service.in @@ -18,6 +18,7 @@ Before=shutdown.target [Service] ExecStart=@rootlibexecdir@/systemd-rfkill +NoNewPrivileges=yes StateDirectory=systemd/rfkill TimeoutSec=30s Type=notify diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in index 1105f1a9804..6d530241957 100644 --- a/units/systemd-timedated.service.in +++ b/units/systemd-timedated.service.in @@ -19,6 +19,7 @@ ExecStart=@rootlibexecdir@/systemd-timedated IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes +NoNewPrivileges=yes PrivateTmp=yes ProtectControlGroups=yes ProtectHome=yes diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in index 8b99e92e017..03ade45d086 100644 --- a/units/systemd-timesyncd.service.in +++ b/units/systemd-timesyncd.service.in @@ -24,6 +24,7 @@ CapabilityBoundingSet=CAP_SYS_TIME ExecStart=!!@rootlibexecdir@/systemd-timesyncd LockPersonality=yes MemoryDenyWriteExecute=yes +NoNewPrivileges=yes PrivateDevices=yes PrivateTmp=yes ProtectControlGroups=yes