units: enable ProtectHostname=yes

diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
index ffcb5f36ca6c551ab74c7c7a79161d8dc97fafa4..f6166fa11ce839e3bec8ff7fa61579182acfd67b 100644 (file)
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@@ -29,6 +29,7 @@ PrivateNetwork=yes
 PrivateTmp=yes
 ProtectControlGroups=yes
 ProtectHome=yes
+ProtectHostname=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 ProtectSystem=strict

diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index 9c925e80d9fe57bb1acb0bc3c0d2d4a4e0e6ab33..62e9b28f5b702d00d7c2cfc74e8c8b2189042ace 100644 (file)
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -25,6 +25,7 @@ PrivateNetwork=yes
 PrivateTmp=yes
 ProtectControlGroups=yes
 ProtectHome=yes
+ProtectHostname=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 ProtectSystem=strict

diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in
index 20704a82324780d9f41ad9af8b1574caf901a7a5..38b7d7e94b4745f45e94f666fa101d8e3c76b9f9 100644 (file)
--- a/units/systemd-importd.service.in
+++ b/units/systemd-importd.service.in
@@ -20,6 +20,7 @@ KillMode=mixed
 CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_SYS_ADMIN CAP_SETPCAP CAP_DAC_OVERRIDE
 NoNewPrivileges=yes
 MemoryDenyWriteExecute=yes
+ProtectHostname=yes
 RestrictRealtime=yes
 RestrictNamespaces=net
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6

diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in
index ebc8bf9a254368b981d7e43391e0c7223657ed2d..0f16ae4ccba1927cb85cb95b0acf7595d5b82d0c 100644 (file)
--- a/units/systemd-journal-gatewayd.service.in
+++ b/units/systemd-journal-gatewayd.service.in
@@ -22,6 +22,7 @@ PrivateDevices=yes
 PrivateNetwork=yes
 ProtectControlGroups=yes
 ProtectHome=yes
+ProtectHostname=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6

diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in
index 29a99aaec1ae0281d6a0dc4499db93528c26fa25..71727295c3d576bfd6043c97129de3aeacf04dd9 100644 (file)
--- a/units/systemd-journal-remote.service.in
+++ b/units/systemd-journal-remote.service.in
@@ -23,6 +23,7 @@ PrivateNetwork=yes
 PrivateTmp=yes
 ProtectControlGroups=yes
 ProtectHome=yes
+ProtectHostname=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 ProtectSystem=strict

diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in
index 92cd4e52592bf1ff4b87fa11b86ba7577fc963e7..10e4d657d3ac319f4c9c0b716f5bfce403dd4281 100644 (file)
--- a/units/systemd-journal-upload.service.in
+++ b/units/systemd-journal-upload.service.in
@@ -22,6 +22,7 @@ NoNewPrivileges=yes
 PrivateDevices=yes
 ProtectControlGroups=yes
 ProtectHome=yes
+ProtectHostname=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6

diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index 4684f095c0778f4d21d376bab2c6c1e36dba9bab..1807d73c68586297776b2053816670ce56f79e45 100644 (file)
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -23,6 +23,7 @@ IPAddressDeny=any
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
+ProtectHostname=yes
 Restart=always
 RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_NETLINK

diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
index 01e0703d0e207c7da718feb6dd26f2d21becca24..a64e7e79a8fbbebcca7a7ff5f22c19bcd575af5d 100644 (file)
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -25,6 +25,7 @@ PrivateNetwork=yes
 PrivateTmp=yes
 ProtectControlGroups=yes
 ProtectHome=yes
+ProtectHostname=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 ProtectSystem=strict

diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index 38a7f269aca173af5f5c66ceaaaea009a2b2d766..fb6fda49077742d746fb106c194bc88da884a59c 100644 (file)
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -28,6 +28,7 @@ IPAddressDeny=any
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
+ProtectHostname=yes
 Restart=always
 RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_NETLINK

diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
index 9f1476814df60d96d47f48b1144b75a38f7b201b..d6deefea083a508ac458623a5443e00fefa4356d 100644 (file)
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -23,6 +23,7 @@ IPAddressDeny=any
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
+ProtectHostname=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 RestrictRealtime=yes
 SystemCallArchitectures=native

diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
index 472ef045de9e5cce5f421ef27a2ff4643a0be22b..5da0e1e3307e720e6558d22b6b95fe322a702cce 100644 (file)
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -27,6 +27,7 @@ MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 ProtectControlGroups=yes
 ProtectHome=yes
+ProtectHostname=yes
 ProtectKernelModules=yes
 ProtectSystem=strict
 Restart=on-failure

diff --git a/units/systemd-portabled.service.in b/units/systemd-portabled.service.in
index a44cdb30a42f673b7327d2d82fd19f47d16ef049..a8eab94d02e524738f58210bf200afee034e6033 100644 (file)
--- a/units/systemd-portabled.service.in
+++ b/units/systemd-portabled.service.in
@@ -18,6 +18,7 @@ BusName=org.freedesktop.portable1
 WatchdogSec=3min
 CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD
 MemoryDenyWriteExecute=yes
+ProtectHostname=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 SystemCallFilter=@system-service @mount

diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
index 3144b70063ee3acc4bd4a1fb704e7824143b1d23..eac3f31012ca8f59b1dfc41f26aaf0bd495f4fb4 100644 (file)
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@@ -30,6 +30,7 @@ PrivateDevices=yes
 PrivateTmp=yes
 ProtectControlGroups=yes
 ProtectHome=yes
+ProtectHostname=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 ProtectSystem=strict

diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index 6d5302419579bf5c4e52adf2ffb4c1f2be3898fe..46ee8c894df6ae65251155b47977beab38008454 100644 (file)
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -23,6 +23,7 @@ NoNewPrivileges=yes
 PrivateTmp=yes
 ProtectControlGroups=yes
 ProtectHome=yes
+ProtectHostname=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 ProtectSystem=strict

diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index 03ade45d0868e57e74614320b3e1e34df13adf23..5313a90c30b62390b04f4a5c6bdf5eb53ffbe571 100644 (file)
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -29,6 +29,7 @@ PrivateDevices=yes
 PrivateTmp=yes
 ProtectControlGroups=yes
 ProtectHome=yes
+ProtectHostname=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 ProtectSystem=strict

diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
index 6a3814e5d92607a397b88bb55015a6be47bc75ff..fb98ca4d43a2094484e2adafb7cca638fa85ec7c 100644 (file)
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@@ -26,6 +26,7 @@ KillMode=mixed
 WatchdogSec=3min
 TasksMax=infinity
 PrivateMounts=yes
+ProtectHostname=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6