From: Andreas Henriksson <andreas@fatal.se>
Date: Fri, 23 Nov 2018 11:10:59 +0000 (+0100)
Subject: uuidd: Add hardening settings to uuidd.service
X-Git-Tag: v2.34-rc1~254
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=df8d991b241d3eec80a621372f0c80a59abbfdae;p=thirdparty%2Futil-linux.git

uuidd: Add hardening settings to uuidd.service

This limits what the uuid daemon has access to when it runs.

Further improving this with additional option or making
things even tighter is most likely possible.

Signed-off-by: Andreas Henriksson <andreas@fatal.se>
---

diff --git a/misc-utils/uuidd.service.in b/misc-utils/uuidd.service.in
index a43b3c3e07..b4c9c46350 100644
--- a/misc-utils/uuidd.service.in
+++ b/misc-utils/uuidd.service.in
@@ -8,6 +8,17 @@ ExecStart=@usrsbin_execdir@/uuidd --socket-activation
 Restart=no
 User=uuidd
 Group=uuidd
+ProtectSystem=strict
+ProtectHome=yes
+PrivateDevices=yes
+PrivateNetwork=yes
+PrivateUsers=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX
+MemoryDenyWriteExecute=yes
+SystemCallFilter=@default @file-system @basic-io @system-service @signal @io-event @network-io
 
 [Install]
 Also=uuidd.socket