From: Zbigniew Jędrzejewski-Szmek <zbyszek@amutable.com>
Date: Thu, 5 Mar 2026 11:17:47 +0000 (+0100)
Subject: report-basic: lock down the service
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5d0a9539603399abcc161cb87cdee5fde2715466;p=thirdparty%2Fsystemd.git

report-basic: lock down the service

The basic approach is copied from systemd-journal-gatewayd.service,
with some additions to lock down unneeded network access.
---

diff --git a/units/systemd-report-basic.socket b/units/systemd-report-basic.socket
index bce93091968..bfa4ea72568 100644
--- a/units/systemd-report-basic.socket
+++ b/units/systemd-report-basic.socket
@@ -16,6 +16,7 @@ ListenStream=/run/systemd/report/io.systemd.Basic
 FileDescriptorName=varlink
 SocketMode=0666
 Accept=yes
+MaxConnectionsPerSource=16
 RemoveOnStop=yes
 
 [Install]
diff --git a/units/systemd-report-basic@.service.in b/units/systemd-report-basic@.service.in
index ad4e3fce708..a8a3b76e865 100644
--- a/units/systemd-report-basic@.service.in
+++ b/units/systemd-report-basic@.service.in
@@ -10,4 +10,28 @@
 Description=Report System Basic Facts
 
 [Service]
+CapabilityBoundingSet=
+DeviceAllow=
+DynamicUser=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+PrivateDevices=yes
+PrivateIPC=yes
+PrivateNetwork=yes
+PrivateTmp=disconnected
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+
 ExecStart={{LIBEXECDIR}}/systemd-report-basic