Revert "units: lock down logind with fs namespacing options"

author Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>

Wed, 14 Nov 2018 16:03:33 +0000 (17:03 +0100)

committer Evgeny Vereshchagin <evvers@ya.ru>

Thu, 15 Nov 2018 14:48:01 +0000 (17:48 +0300)
author Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Wed, 14 Nov 2018 16:03:33 +0000 (17:03 +0100)
committer Evgeny Vereshchagin <evvers@ya.ru>
Thu, 15 Nov 2018 14:48:01 +0000 (17:48 +0300)
diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in

index 6886fa9bfefb48779b8197c7d548dc8f36ee2dc8..38a7f269aca173af5f5c66ceaaaea009a2b2d766 100644 (file)
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -21,26 +21,18 @@ After=dbus.socket
  
  [Service]
  BusName=org.freedesktop.login1
-CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG
  ExecStart=@rootlibexecdir@/systemd-logind
  FileDescriptorStoreMax=512
  IPAddressDeny=any
  LockPersonality=yes
  MemoryDenyWriteExecute=yes
  NoNewPrivileges=yes
-PrivateTmp=yes
-ProtectControlGroups=yes
-ProtectHome=yes
-ProtectKernelModules=yes
-ProtectSystem=strict
-ReadWritePaths=/etc
  Restart=always
  RestartSec=0
  RestrictAddressFamilies=AF_UNIX AF_NETLINK
  RestrictNamespaces=yes
  RestrictRealtime=yes
-RuntimeDirectory=systemd/sessions systemd/seats systemd/users
-RuntimeDirectoryPreserve=yes
  SystemCallArchitectures=native
  SystemCallErrorNumber=EPERM
  SystemCallFilter=@system-service
author	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
	Wed, 14 Nov 2018 16:03:33 +0000 (17:03 +0100)
committer	Evgeny Vereshchagin <evvers@ya.ru>
	Thu, 15 Nov 2018 14:48:01 +0000 (17:48 +0300)