units: turn on RestrictSUIDSGID= in most of our long-running daemons

author Lennart Poettering <lennart@poettering.net>

Wed, 20 Mar 2019 18:52:20 +0000 (19:52 +0100)

committer Lennart Poettering <lennart@poettering.net>

Tue, 2 Apr 2019 14:56:48 +0000 (16:56 +0200)
author Lennart Poettering <lennart@poettering.net>
Wed, 20 Mar 2019 18:52:20 +0000 (19:52 +0100)
committer Lennart Poettering <lennart@poettering.net>
Tue, 2 Apr 2019 14:56:48 +0000 (16:56 +0200)
diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in

index f6166fa11ce839e3bec8ff7fa61579182acfd67b..afb2ab9d17352e453186ebca8a61d888c24ec7fa 100644 (file)
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@@ -36,6 +36,7 @@ ProtectSystem=strict
  RestrictAddressFamilies=AF_UNIX
  RestrictNamespaces=yes
  RestrictRealtime=yes
+RestrictSUIDSGID=yes
  RuntimeMaxSec=5min
  StateDirectory=systemd/coredump
  SystemCallArchitectures=native
diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in

index 9c925e80d9fe57bb1acb0bc3c0d2d4a4e0e6ab33..b4f606cf785a6b6e631b086a350ef4101e7509b0 100644 (file)
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -32,6 +32,7 @@ ReadWritePaths=/etc
  RestrictAddressFamilies=AF_UNIX
  RestrictNamespaces=yes
  RestrictRealtime=yes
+RestrictSUIDSGID=yes
  SystemCallArchitectures=native
  SystemCallErrorNumber=EPERM
  SystemCallFilter=@system-service sethostname
diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in

index 71727295c3d576bfd6043c97129de3aeacf04dd9..dd6322e62ccdae6853cd1641385870abe28f55d6 100644 (file)
--- a/units/systemd-journal-remote.service.in
+++ b/units/systemd-journal-remote.service.in
@@ -30,6 +30,7 @@ ProtectSystem=strict
  RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
  RestrictNamespaces=yes
  RestrictRealtime=yes
+RestrictSUIDSGID=yes
  SystemCallArchitectures=native
  User=systemd-journal-remote
  WatchdogSec=3min
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in

index 4684f095c0778f4d21d376bab2c6c1e36dba9bab..fab405502a04e39c18ba63137886bae3f333bf4b 100644 (file)
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -28,6 +28,7 @@ RestartSec=0
  RestrictAddressFamilies=AF_UNIX AF_NETLINK
  RestrictNamespaces=yes
  RestrictRealtime=yes
+RestrictSUIDSGID=yes
  Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket
  StandardOutput=null
  SystemCallArchitectures=native
diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in

index a64e7e79a8fbbebcca7a7ff5f22c19bcd575af5d..7bca34409acec0fd8104f221d515203fa5fd1622 100644 (file)
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -33,6 +33,7 @@ ReadWritePaths=/etc
  RestrictAddressFamilies=AF_UNIX
  RestrictNamespaces=yes
  RestrictRealtime=yes
+RestrictSUIDSGID=yes
  SystemCallArchitectures=native
  SystemCallErrorNumber=EPERM
  SystemCallFilter=@system-service
diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in

index 9c8938ec4ad5ce859e7f564973117e96e3df8157..3eef95c6614f03fdbe25b16344251ef5d3ac4837 100644 (file)
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -40,6 +40,7 @@ RestartSec=0
  RestrictAddressFamilies=AF_UNIX AF_NETLINK
  RestrictNamespaces=yes
  RestrictRealtime=yes
+RestrictSUIDSGID=yes
  RuntimeDirectory=systemd/sessions systemd/seats systemd/users systemd/inhibit systemd/shutdown
  RuntimeDirectoryPreserve=yes
  SystemCallArchitectures=native
diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in

index 472ef045de9e5cce5f421ef27a2ff4643a0be22b..2c74da6f1ede5774b2fdbaaa08d64bf046202a3c 100644 (file)
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -34,6 +34,7 @@ RestartSec=0
  RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
  RestrictNamespaces=yes
  RestrictRealtime=yes
+RestrictSUIDSGID=yes
  RuntimeDirectory=systemd/netif
  RuntimeDirectoryPreserve=yes
  SystemCallArchitectures=native
diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in

index 3144b70063ee3acc4bd4a1fb704e7824143b1d23..eee5d5ea8f4133fde2077cd6c55391a9c7c4c443 100644 (file)
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@@ -38,6 +38,7 @@ RestartSec=0
  RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
  RestrictNamespaces=yes
  RestrictRealtime=yes
+RestrictSUIDSGID=yes
  RuntimeDirectory=systemd/resolve
  RuntimeDirectoryPreserve=yes
  SystemCallArchitectures=native
diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in

index 46ee8c894df6ae65251155b47977beab38008454..df546f471faa6ed9d424bac5e418f03776fdb4d7 100644 (file)
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -31,6 +31,7 @@ ReadWritePaths=/etc
  RestrictAddressFamilies=AF_UNIX
  RestrictNamespaces=yes
  RestrictRealtime=yes
+RestrictSUIDSGID=yes
  SystemCallArchitectures=native
  SystemCallErrorNumber=EPERM
  SystemCallFilter=@system-service @clock
diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in

index 5313a90c30b62390b04f4a5c6bdf5eb53ffbe571..6512531e1c5aa3811b5a3c3fb5b79012c19c7302 100644 (file)
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -38,6 +38,7 @@ RestartSec=0
  RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
  RestrictNamespaces=yes
  RestrictRealtime=yes
+RestrictSUIDSGID=yes
  RuntimeDirectory=systemd/timesync
  StateDirectory=systemd/timesync
  SystemCallArchitectures=native
diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in

index fb98ca4d43a2094484e2adafb7cca638fa85ec7c..e8a76cc0184258a04a70a4ee30b6f4cf3a288079 100644 (file)
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@@ -28,8 +28,9 @@ TasksMax=infinity
  PrivateMounts=yes
  ProtectHostname=yes
  MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
  RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
  SystemCallFilter=@system-service @module @raw-io
  SystemCallErrorNumber=EPERM
  SystemCallArchitectures=native
author	Lennart Poettering <lennart@poettering.net>
	Wed, 20 Mar 2019 18:52:20 +0000 (19:52 +0100)
committer	Lennart Poettering <lennart@poettering.net>
	Tue, 2 Apr 2019 14:56:48 +0000 (16:56 +0200)
units/systemd-coredump@.service.in		patch \| blob \| blame \| history
units/systemd-hostnamed.service.in		patch \| blob \| blame \| history
units/systemd-journal-remote.service.in		patch \| blob \| blame \| history
units/systemd-journald.service.in		patch \| blob \| blame \| history
units/systemd-localed.service.in		patch \| blob \| blame \| history
units/systemd-logind.service.in		patch \| blob \| blame \| history
units/systemd-networkd.service.in		patch \| blob \| blame \| history
units/systemd-resolved.service.in		patch \| blob \| blame \| history
units/systemd-timedated.service.in		patch \| blob \| blame \| history
units/systemd-timesyncd.service.in		patch \| blob \| blame \| history
units/systemd-udevd.service.in		patch \| blob \| blame \| history