]> git.ipfire.org Git - thirdparty/systemd.git/commitdiff
projects / thirdparty / systemd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7f396e5)
units: restrict namespace for a good number of our own services
authorLennart Poettering <lennart@poettering.net>
Thu, 9 Feb 2017 09:28:23 +0000 (10:28 +0100)
committerLennart Poettering <lennart@poettering.net>
Thu, 9 Feb 2017 15:12:03 +0000 (16:12 +0100)
Basically, we turn it on for most long-running services, with the
exception of machined (whose child processes need to join containers
here and there), and importd (which sandboxes tar in a CLONE_NEWNET
namespace). machined is left unrestricted, and importd is restricted to
use only "net"

units/systemd-hostnamed.service.in patch | blob | blame | history
units/systemd-importd.service.in patch | blob | blame | history
units/systemd-journal-gatewayd.service.in patch | blob | blame | history
units/systemd-journal-remote.service.in patch | blob | blame | history
units/systemd-journal-upload.service.in patch | blob | blame | history
units/systemd-journald.service.in patch | blob | blame | history
units/systemd-localed.service.in patch | blob | blame | history
units/systemd-logind.service.in patch | blob | blame | history
units/systemd-timedated.service.in patch | blob | blame | history
units/systemd-timesyncd.service.in patch | blob | blame | history

diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index 89d942b072242f9f9a1313648b3dc71e1641c368..8a551403cff667467d2f479ed8e80dc4d5ce70a3 100644 (file)
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -24,6 +24,7 @@ ProtectControlGroups=yes
 ProtectKernelTunables=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
+RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
 SystemCallArchitectures=native
diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in
index 2a8a683d95f7fd0a59cc01caaf7b351e95fbc16f..de2431739ff85bdf89ec17977805b7244e11d396 100644 (file)
--- a/units/systemd-importd.service.in
+++ b/units/systemd-importd.service.in
@@ -19,6 +19,7 @@ CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_
 NoNewPrivileges=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
+RestrictNamespaces=net
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io
 SystemCallArchitectures=native
diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in
index b0b934deb21918010f09cb1b37a7267e2e4e83c8..677cb2a04b37a6e77ca4b48b61d9030a56301f8f 100644 (file)
--- a/units/systemd-journal-gatewayd.service.in
+++ b/units/systemd-journal-gatewayd.service.in
@@ -24,6 +24,7 @@ ProtectControlGroups=yes
 ProtectKernelTunables=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
+RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 SystemCallArchitectures=native
 
diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in
index bc384b83824f5b24fccf41f8b1974b06faa56487..cab7778ddc7a5319c8d2eef0bae558fa968be5ce 100644 (file)
--- a/units/systemd-journal-remote.service.in
+++ b/units/systemd-journal-remote.service.in
@@ -24,6 +24,7 @@ ProtectControlGroups=yes
 ProtectKernelTunables=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
+RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 SystemCallArchitectures=native
 
diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in
index d28a62bb35eb97c1841631b5c004c1bace920ef9..f539c7dc1f81379d3a56ca92733d3522b00ed09a 100644 (file)
--- a/units/systemd-journal-upload.service.in
+++ b/units/systemd-journal-upload.service.in
@@ -24,6 +24,7 @@ ProtectControlGroups=yes
 ProtectKernelTunables=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
+RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 SystemCallArchitectures=native
 
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index b2e7eeeda3fa0beb59f383236c2606ad98df1a77..adabedd977b2b2f3ee482413ecf4d494d0369a66 100644 (file)
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -26,6 +26,7 @@ FileDescriptorStoreMax=1024
 CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
+RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
 SystemCallArchitectures=native
diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
index af2cdfffbeb901a8beac356b00d9f77004a464fb..1b6c163ef4a5d6324fe546b39e928dc356a1fb87 100644 (file)
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -24,6 +24,7 @@ ProtectControlGroups=yes
 ProtectKernelTunables=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
+RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
 SystemCallArchitectures=native
diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index fcbfd1debeb62c1e9f2ca2b5b1bc4b317be32c99..93abeb3dca03a8054c76e6045ffef6e2d88e5249 100644 (file)
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -27,6 +27,7 @@ WatchdogSec=3min
 CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
+RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io
 SystemCallArchitectures=native
diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index 7608d9da28992836b15f6882b0f022c834389ce2..26756d6e017ab283f454ef305ec5f825a3c8285c 100644 (file)
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -22,6 +22,7 @@ ProtectControlGroups=yes
 ProtectKernelTunables=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
+RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX
 SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
 SystemCallArchitectures=native
diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index 46b81ebab3a722bf065e9718ebd7e41872bc3f52..5eb3f2362f36c69fb76c63242ee7f03506180b52 100644 (file)
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -32,6 +32,7 @@ ProtectControlGroups=yes
 ProtectKernelTunables=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
+RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
 SystemCallArchitectures=native
Unnamed repository; edit this file 'description' to name the repository.