units: prohibit all IP traffic on all our long-running services (#6921)

author Lennart Poettering <lennart@poettering.net>

Wed, 4 Oct 2017 12:16:28 +0000 (14:16 +0200)

committer Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>

Wed, 4 Oct 2017 12:16:28 +0000 (14:16 +0200)
author Lennart Poettering <lennart@poettering.net>
Wed, 4 Oct 2017 12:16:28 +0000 (14:16 +0200)
committer Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Wed, 4 Oct 2017 12:16:28 +0000 (14:16 +0200)
diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in

index d7eaf3398e7070bee39ddb7e173c7f71ef43fcf5..ef58f0cb3ef5626d4c264f3de5204ad8bef39ebc 100644 (file)
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@@ -34,4 +34,5 @@ RestrictAddressFamilies=AF_UNIX
  SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
  SystemCallArchitectures=native
  LockPersonality=yes
+IPAddressDeny=any
  StateDirectory=systemd/coredump
diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in

index 9bb5ad8cac002f6c72edf1ba2097c179cfcb6367..cfee2cbbf19f7a7d672964c52677fe546e602cff 100644 (file)
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -30,4 +30,5 @@ RestrictAddressFamilies=AF_UNIX
  SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
  SystemCallArchitectures=native
  LockPersonality=yes
+IPAddressDeny=any
  ReadWritePaths=/etc
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in

index 07e03e736ef7cae33997a9334aec9bf6e537dfae..a747fe3f1f21d5b972a15807448b7e6e5f8fab2a 100644 (file)
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -30,6 +30,7 @@ RestrictAddressFamilies=AF_UNIX AF_NETLINK
  SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
  SystemCallArchitectures=native
  LockPersonality=yes
+IPAddressDeny=any
  
  # Increase the default a bit in order to allow many simultaneous
  # services being run since we keep one fd open per service. Also, when
diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in

index 1366fa791069cc4eff509bb2670391285b15c2f5..5dd8b1889472615286a3d5d44bb5e949332f7e37 100644 (file)
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -30,4 +30,5 @@ RestrictAddressFamilies=AF_UNIX
  SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
  SystemCallArchitectures=native
  LockPersonality=yes
+IPAddressDeny=any
  ReadWritePaths=/etc
diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in

index f6daf7755cd1ccbc08692e528cb1922d774131a4..de380a27d3898dcb75c20383c4209cfc45a9f2d8 100644 (file)
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -31,6 +31,7 @@ RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
  SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
  SystemCallArchitectures=native
  LockPersonality=yes
+IPAddressDeny=any
  FileDescriptorStoreMax=512
  
  # Increase the default a bit in order to allow many simultaneous
diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in

index fb4df3829310f3e1bde8a5cde7f9460c71e2633b..03b9bf5c0dbbc83ae1f1fe34ad2225d3d7e73085 100644 (file)
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -24,6 +24,7 @@ RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
  SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
  SystemCallArchitectures=native
  LockPersonality=yes
+IPAddressDeny=any
  
  # Note that machined cannot be placed in a mount namespace, since it
  # needs access to the host's mount namespace in order to implement the
diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in

index 9fca1d1905d039a5e1c7813fa953ee1acdb7f146..97130e93c34a42b7af9445bf45c153b338ab1ecf 100644 (file)
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -28,4 +28,5 @@ RestrictAddressFamilies=AF_UNIX
  SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
  SystemCallArchitectures=native
  LockPersonality=yes
+IPAddressDeny=any
  ReadWritePaths=/etc
diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in

index d3d13ed7cf2ef3291267fb5b02d4e0a3f3277f58..03909f5d7ff5ec461e36ba39ccaa9ddccf0d9156 100644 (file)
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@@ -29,3 +29,4 @@ RestrictRealtime=yes
  RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
  SystemCallArchitectures=native
  LockPersonality=yes
+IPAddressDeny=any
author	Lennart Poettering <lennart@poettering.net>
	Wed, 4 Oct 2017 12:16:28 +0000 (14:16 +0200)
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
	Wed, 4 Oct 2017 12:16:28 +0000 (14:16 +0200)
units/systemd-coredump@.service.in		patch \| blob \| blame \| history
units/systemd-hostnamed.service.in		patch \| blob \| blame \| history
units/systemd-journald.service.in		patch \| blob \| blame \| history
units/systemd-localed.service.in		patch \| blob \| blame \| history
units/systemd-logind.service.in		patch \| blob \| blame \| history
units/systemd-machined.service.in		patch \| blob \| blame \| history
units/systemd-timedated.service.in		patch \| blob \| blame \| history
units/systemd-udevd.service.in		patch \| blob \| blame \| history