From: Paul Meyer <katexochen0@gmail.com>
Date: Wed, 24 Jun 2026 10:43:40 +0000 (+0200)
Subject: units: harden systemd-report-sign-plain@.service
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=087b0ebb61b9eb6843e844d31dbe96157a95da0e;p=thirdparty%2Fsystemd.git

units: harden systemd-report-sign-plain@.service

Apply sandboxing. The plain backend's needs writable StateDirectory and
/dev/urandom for key generation. The service must stay root (the
private key is root-only), but everything else is locked down.

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
---

diff --git a/units/systemd-report-sign-plain@.service.in b/units/systemd-report-sign-plain@.service.in
index 7778239d78a..f084b33d9f2 100644
--- a/units/systemd-report-sign-plain@.service.in
+++ b/units/systemd-report-sign-plain@.service.in
@@ -19,3 +19,32 @@ WantsMountsFor=/var/lib/systemd/report.sign.plain
 StateDirectory=systemd/report.sign.plain
 StateDirectoryMode=0700
 ExecStart={{LIBEXECDIR}}/systemd-report-sign-plain
+CapabilityBoundingSet=
+DeviceAllow=
+IPAddressDeny=any
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateIPC=yes
+PrivateNetwork=yes
+PrivateTmp=disconnected
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RuntimeMaxSec=5min
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+UMask=0077