units: set NoNewPrivileges= for all long-running services

Previously, setting this option by default was problematic due to
SELinux (as this would also prohibit the transition from PID1's label to
the service's label). However, this restriction has since been lifted,
hence let's start making use of this universally in our services.

On SELinux system this change should be synchronized with a policy
update that ensures that NNP-ful transitions from init_t to service
labels is permitted.

Fixes: #1219

diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
index 74dcf7fe06b1dba10eed485b35f4f5e51b5388b9..ffcb5f36ca6c551ab74c7c7a79161d8dc97fafa4 100644 (file)
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@@ -22,6 +22,7 @@ IPAddressDeny=any
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 Nice=9
+NoNewPrivileges=yes
 OOMScoreAdjust=500
 PrivateDevices=yes
 PrivateNetwork=yes

diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index 696d4e2e60fbb733580d82f3a94be8f3b2f3674e..9c925e80d9fe57bb1acb0bc3c0d2d4a4e0e6ab33 100644 (file)
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -19,6 +19,7 @@ ExecStart=@rootlibexecdir@/systemd-hostnamed
 IPAddressDeny=any
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateNetwork=yes
 PrivateTmp=yes

diff --git a/units/systemd-initctl.service.in b/units/systemd-initctl.service.in
index f48d673d587a331af5866f1ed7a36c3137dcce3d..c276283908486b49ec6459088063ad8f1875f8c3 100644 (file)
--- a/units/systemd-initctl.service.in
+++ b/units/systemd-initctl.service.in
@@ -14,5 +14,6 @@ DefaultDependencies=no
 
 [Service]
 ExecStart=@rootlibexecdir@/systemd-initctl
+NoNewPrivileges=yes
 NotifyAccess=all
 SystemCallArchitectures=native

diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in
index 5ef4ee0058c4c138ddabae3d59f0d222d069fa74..ebc8bf9a254368b981d7e43391e0c7223657ed2d 100644 (file)
--- a/units/systemd-journal-gatewayd.service.in
+++ b/units/systemd-journal-gatewayd.service.in
@@ -17,6 +17,7 @@ DynamicUser=yes
 ExecStart=@rootlibexecdir@/systemd-journal-gatewayd
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateNetwork=yes
 ProtectControlGroups=yes

diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in
index ec1311da88edb1e72fe639cf72b960bcc2db3a39..29a99aaec1ae0281d6a0dc4499db93528c26fa25 100644 (file)
--- a/units/systemd-journal-remote.service.in
+++ b/units/systemd-journal-remote.service.in
@@ -17,6 +17,7 @@ ExecStart=@rootlibexecdir@/systemd-journal-remote --listen-https=-3 --output=/va
 LockPersonality=yes
 LogsDirectory=journal/remote
 MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateNetwork=yes
 PrivateTmp=yes

diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in
index a15744e1e8ff60fc5d1072fea2711d65a14f969a..92cd4e52592bf1ff4b87fa11b86ba7577fc963e7 100644 (file)
--- a/units/systemd-journal-upload.service.in
+++ b/units/systemd-journal-upload.service.in
@@ -18,6 +18,7 @@ DynamicUser=yes
 ExecStart=@rootlibexecdir@/systemd-journal-upload --save-state
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 PrivateDevices=yes
 ProtectControlGroups=yes
 ProtectHome=yes

diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index 7b659d4b03c875323f895b5b5e33dd09fb12735c..4684f095c0778f4d21d376bab2c6c1e36dba9bab 100644 (file)
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -22,6 +22,7 @@ FileDescriptorStoreMax=4224
 IPAddressDeny=any
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 Restart=always
 RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_NETLINK

diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
index 7d40fb4897d4a7de1a0024307368aec2bcccbc42..01e0703d0e207c7da718feb6dd26f2d21becca24 100644 (file)
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -19,6 +19,7 @@ ExecStart=@rootlibexecdir@/systemd-localed
 IPAddressDeny=any
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateNetwork=yes
 PrivateTmp=yes

diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index 6b362ccdca6b84f3d1267857ec8e230205176a14..38a7f269aca173af5f5c66ceaaaea009a2b2d766 100644 (file)
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -27,6 +27,7 @@ FileDescriptorStoreMax=512
 IPAddressDeny=any
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 Restart=always
 RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_NETLINK

diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
index d90e71ae67641e50565c9d15fd2c4c4d5be0db6f..9f1476814df60d96d47f48b1144b75a38f7b201b 100644 (file)
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -22,6 +22,7 @@ ExecStart=@rootlibexecdir@/systemd-machined
 IPAddressDeny=any
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 RestrictRealtime=yes
 SystemCallArchitectures=native

diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
index f23bf227fb6a580d0cb5ca4242046abbc9f65925..472ef045de9e5cce5f421ef27a2ff4643a0be22b 100644 (file)
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -24,6 +24,7 @@ CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_N
 ExecStart=!!@rootlibexecdir@/systemd-networkd
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectKernelModules=yes

diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
index d08842f0d43e8bed57cb043d1b636e8bfff3de30..3144b70063ee3acc4bd4a1fb704e7824143b1d23 100644 (file)
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@@ -25,6 +25,7 @@ CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
 ExecStart=!!@rootlibexecdir@/systemd-resolved
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateTmp=yes
 ProtectControlGroups=yes

diff --git a/units/systemd-rfkill.service.in b/units/systemd-rfkill.service.in
index 7447ed5b5bf04beacd67a104f3cbda775d88cc37..3abb958310dbb8b09c655d7fde61fa4f32bb1c90 100644 (file)
--- a/units/systemd-rfkill.service.in
+++ b/units/systemd-rfkill.service.in
@@ -18,6 +18,7 @@ Before=shutdown.target
 
 [Service]
 ExecStart=@rootlibexecdir@/systemd-rfkill
+NoNewPrivileges=yes
 StateDirectory=systemd/rfkill
 TimeoutSec=30s
 Type=notify

diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index 1105f1a98041fa626840337c9cf5616dc557f18a..6d5302419579bf5c4e52adf2ffb4c1f2be3898fe 100644 (file)
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -19,6 +19,7 @@ ExecStart=@rootlibexecdir@/systemd-timedated
 IPAddressDeny=any
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 PrivateTmp=yes
 ProtectControlGroups=yes
 ProtectHome=yes

diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index 8b99e92e0172c548ab020175a1cdd8859a3d4e0d..03ade45d0868e57e74614320b3e1e34df13adf23 100644 (file)
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -24,6 +24,7 @@ CapabilityBoundingSet=CAP_SYS_TIME
 ExecStart=!!@rootlibexecdir@/systemd-timesyncd
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateTmp=yes
 ProtectControlGroups=yes