]> git.ipfire.org Git - thirdparty/systemd.git/commitdiff
projects / thirdparty / systemd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 762267c)
units: deny access to block devices
authorTopi Miettinen <toiwoton@gmail.com>
Wed, 1 May 2019 12:28:36 +0000 (15:28 +0300)
committerLennart Poettering <lennart@poettering.net>
Thu, 20 Jun 2019 12:03:57 +0000 (14:03 +0200)
While the need for access to character devices can be tricky to determine for
the general case, it's obvious that most of our services have no need to access
block devices. For logind and timedated this can be tightened further.

units/systemd-journald.service.in patch | blob | blame | history
units/systemd-logind.service.in patch | blob | blame | history
units/systemd-networkd.service.in patch | blob | blame | history
units/systemd-timedated.service.in patch | blob | blame | history

diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index fab405502a04e39c18ba63137886bae3f333bf4b..323334f6a3987431d706467991fb8d5f35007edc 100644 (file)
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -17,6 +17,7 @@ Before=sysinit.target
 
 [Service]
 CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
+DeviceAllow=char-* rw
 ExecStart=@rootlibexecdir@/systemd-journald
 FileDescriptorStoreMax=4224
 IPAddressDeny=any
diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index 8a7262776f9236ad697278099593c1dbe2ac9903..1b37290d4f5a2ad3853434e550429149407e87f5 100644 (file)
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -22,6 +22,11 @@ After=dbus.socket
 [Service]
 BusName=org.freedesktop.login1
 CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG CAP_LINUX_IMMUTABLE
+DeviceAllow=char-/dev/console rw
+DeviceAllow=char-drm rw
+DeviceAllow=char-input rw
+DeviceAllow=char-tty rw
+DeviceAllow=char-vcs rw
 ExecStart=@rootlibexecdir@/systemd-logind
 FileDescriptorStoreMax=512
 IPAddressDeny=any
diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
index 2c74da6f1ede5774b2fdbaaa08d64bf046202a3c..9ea3bb914efbd2a4470d084ece0766b9e2098873 100644 (file)
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -21,6 +21,7 @@ Wants=network.target
 [Service]
 AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
+DeviceAllow=char-* rw
 ExecStart=!!@rootlibexecdir@/systemd-networkd
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index df546f471faa6ed9d424bac5e418f03776fdb4d7..d430ee201754a10195be466bc7b8e9f2c3b5a5d3 100644 (file)
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -15,6 +15,7 @@ Documentation=https://www.freedesktop.org/wiki/Software/systemd/timedated
 [Service]
 BusName=org.freedesktop.timedate1
 CapabilityBoundingSet=CAP_SYS_TIME
+DeviceAllow=char-rtc r
 ExecStart=@rootlibexecdir@/systemd-timedated
 IPAddressDeny=any
 LockPersonality=yes
Unnamed repository; edit this file 'description' to name the repository.