units: add a basic SystemCallFilter (#3471)

Add a line
SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
for daemons shipped by systemd. As an exception, systemd-timesyncd
needs @clock system calls and systemd-localed is not privileged.
ptrace(2) is blocked to prevent seccomp escapes.

diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index fc43b2c4a67488314fb5c0bd8673f100711e873c..d8f18bed53692b6784c7c54c9a69ddab467daddf 100644 (file)
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -21,3 +21,4 @@ PrivateNetwork=yes
 ProtectSystem=yes
 ProtectHome=yes
 MemoryDenyWriteExecute=yes
+SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace

diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in
index 2f8138e88e6c3153855923c3346418280a9064b1..a3d1a1519b5e58c825a3cb093e700e355b0d99db 100644 (file)
--- a/units/systemd-importd.service.in
+++ b/units/systemd-importd.service.in
@@ -18,3 +18,4 @@ NoNewPrivileges=yes
 WatchdogSec=3min
 KillMode=mixed
 MemoryDenyWriteExecute=yes
+SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace

diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index 06abe048611a9f01865beef5eb77118d4e9c0bc5..58808d4f8ce70835fc35f1a00db82a622d51933a 100644 (file)
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -25,6 +25,7 @@ CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG C
 WatchdogSec=3min
 FileDescriptorStoreMax=1024
 MemoryDenyWriteExecute=yes
+SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
 
 # Increase the default a bit in order to allow many simultaneous
 # services being run since we keep one fd open per service. Also, when

diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
index 743221472cb574752667cdd9a9499df9d1f74b3a..5efa6775489b0261a9d116fba3750c087597cdaf 100644 (file)
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -21,3 +21,4 @@ PrivateNetwork=yes
 ProtectSystem=yes
 ProtectHome=yes
 MemoryDenyWriteExecute=yes
+SystemCallFilter=~@clock @module @mount @obsolete @privileged @raw-io ptrace

diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index 67e2c34482ac238225c353088dad5a82f0dd5012..a9598760e293753fe4324631864ab261225903bc 100644 (file)
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -26,6 +26,7 @@ BusName=org.freedesktop.login1
 CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG
 WatchdogSec=3min
 MemoryDenyWriteExecute=yes
+SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
 
 # Increase the default a bit in order to allow many simultaneous
 # logins since we keep one fd open per session.

diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
index 1517068ecdf55c060c332fe2ece44cc44b377abd..82dca0533829bc82646b0431a4b0291e6c64ac6d 100644 (file)
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -18,6 +18,7 @@ BusName=org.freedesktop.machine1
 CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD
 WatchdogSec=3min
 MemoryDenyWriteExecute=yes
+SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
 
 # Note that machined cannot be placed in a mount namespace, since it
 # needs access to the host's mount namespace in order to implement the

diff --git a/units/systemd-networkd.service.m4.in b/units/systemd-networkd.service.m4.in
index 3c9970fa48a2c8c521df5f1f0695ab03e28ea4c0..3feb2b84f5ae18e66bdd7268c99126c7bd46184c 100644 (file)
--- a/units/systemd-networkd.service.m4.in
+++ b/units/systemd-networkd.service.m4.in
@@ -32,6 +32,7 @@ ProtectSystem=full
 ProtectHome=yes
 WatchdogSec=3min
 MemoryDenyWriteExecute=yes
+SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
 
 [Install]
 WantedBy=multi-user.target

diff --git a/units/systemd-resolved.service.m4.in b/units/systemd-resolved.service.m4.in
index 07c7658bcc02eac4b565b3135d84f5a2cde80ebe..4a94f747e2e99f9ef4d743371221171960863c92 100644 (file)
--- a/units/systemd-resolved.service.m4.in
+++ b/units/systemd-resolved.service.m4.in
@@ -28,6 +28,7 @@ ProtectSystem=full
 ProtectHome=yes
 WatchdogSec=3min
 MemoryDenyWriteExecute=yes
+SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
 
 [Install]
 WantedBy=multi-user.target

diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index 3636091472831d0360568612af6fbe94a2a1021f..1bdbe65aad6f5f352865812ee048762052142f34 100644 (file)
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -19,3 +19,4 @@ PrivateTmp=yes
 ProtectSystem=yes
 ProtectHome=yes
 MemoryDenyWriteExecute=yes
+SystemCallFilter=~@module @mount @obsolete @raw-io ptrace

diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index caf1dc132fa176ea23453b7964ce390033b0f899..8c86021f5ee84f0fdffd029ebdee0b585c5af066 100644 (file)
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -29,6 +29,7 @@ ProtectSystem=full
 ProtectHome=yes
 WatchdogSec=3min
 MemoryDenyWriteExecute=yes
+SystemCallFilter=~@module @mount @obsolete @raw-io ptrace
 
 [Install]
 WantedBy=sysinit.target