From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 12 Nov 2018 17:08:48 +0000 (+0100)
Subject: units: lock down systemd-logind.service with various fs namespacing options
X-Git-Tag: v240~338^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F10744%2Fhead;p=thirdparty%2Fsystemd.git

units: lock down systemd-logind.service with various fs namespacing options

now that logind doesn't mount $XDG_RUNTIME_DIR anymore we can lock down
the service using fs namespacing (as we don't need the mount to
propagate to the host namespace anymore).
---

diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index ff1fd96765a..6886fa9bfef 100644
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -28,11 +28,19 @@ IPAddressDeny=any
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectKernelModules=yes
+ProtectSystem=strict
+ReadWritePaths=/etc
 Restart=always
 RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_NETLINK
 RestrictNamespaces=yes
 RestrictRealtime=yes
+RuntimeDirectory=systemd/sessions systemd/seats systemd/users
+RuntimeDirectoryPreserve=yes
 SystemCallArchitectures=native
 SystemCallErrorNumber=EPERM
 SystemCallFilter=@system-service