units: enable MemoryDenyWriteExecute (#3459)

Secure daemons shipped by systemd by enabling MemoryDenyWriteExecute.

Closes: #3459

diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index b7079e4a7c04dbcfe177baba90e1e2783c3c448c..fc43b2c4a67488314fb5c0bd8673f100711e873c 100644 (file)
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -20,3 +20,4 @@ PrivateDevices=yes
 PrivateNetwork=yes
 ProtectSystem=yes
 ProtectHome=yes
+MemoryDenyWriteExecute=yes

diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in
index b74ad72cdcd90105248bdf4e9425621461bc232c..2f8138e88e6c3153855923c3346418280a9064b1 100644 (file)
--- a/units/systemd-importd.service.in
+++ b/units/systemd-importd.service.in
@@ -17,3 +17,4 @@ CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_
 NoNewPrivileges=yes
 WatchdogSec=3min
 KillMode=mixed
+MemoryDenyWriteExecute=yes

diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index 41bfde5be3c5d814e39a7d0858afdfe0652d3927..06abe048611a9f01865beef5eb77118d4e9c0bc5 100644 (file)
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -24,6 +24,7 @@ StandardOutput=null
 CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
 WatchdogSec=3min
 FileDescriptorStoreMax=1024
+MemoryDenyWriteExecute=yes
 
 # Increase the default a bit in order to allow many simultaneous
 # services being run since we keep one fd open per service. Also, when

diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
index 9b13f901a394ef3fac7284d4dd9d53990e8524e3..743221472cb574752667cdd9a9499df9d1f74b3a 100644 (file)
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -20,3 +20,4 @@ PrivateDevices=yes
 PrivateNetwork=yes
 ProtectSystem=yes
 ProtectHome=yes
+MemoryDenyWriteExecute=yes

diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index ff049134eeefb1cb33583e143024f166a73dddc8..67e2c34482ac238225c353088dad5a82f0dd5012 100644 (file)
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -25,6 +25,7 @@ RestartSec=0
 BusName=org.freedesktop.login1
 CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG
 WatchdogSec=3min
+MemoryDenyWriteExecute=yes
 
 # Increase the default a bit in order to allow many simultaneous
 # logins since we keep one fd open per session.

diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
index 685baab21d4055eb6b4fe914ce0ecde1565e07ee..1517068ecdf55c060c332fe2ece44cc44b377abd 100644 (file)
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -17,6 +17,7 @@ ExecStart=@rootlibexecdir@/systemd-machined
 BusName=org.freedesktop.machine1
 CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD
 WatchdogSec=3min
+MemoryDenyWriteExecute=yes
 
 # Note that machined cannot be placed in a mount namespace, since it
 # needs access to the host's mount namespace in order to implement the

diff --git a/units/systemd-networkd.service.m4.in b/units/systemd-networkd.service.m4.in
index 27d4d589622841ea6b9d19459f5b2877ad807d07..3c9970fa48a2c8c521df5f1f0695ab03e28ea4c0 100644 (file)
--- a/units/systemd-networkd.service.m4.in
+++ b/units/systemd-networkd.service.m4.in
@@ -31,6 +31,7 @@ CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_N
 ProtectSystem=full
 ProtectHome=yes
 WatchdogSec=3min
+MemoryDenyWriteExecute=yes
 
 [Install]
 WantedBy=multi-user.target

diff --git a/units/systemd-resolved.service.m4.in b/units/systemd-resolved.service.m4.in
index 8e1c1dea794c3f869b2e6e0cb99dc3ea513ff477..07c7658bcc02eac4b565b3135d84f5a2cde80ebe 100644 (file)
--- a/units/systemd-resolved.service.m4.in
+++ b/units/systemd-resolved.service.m4.in
@@ -27,6 +27,7 @@ CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRI
 ProtectSystem=full
 ProtectHome=yes
 WatchdogSec=3min
+MemoryDenyWriteExecute=yes
 
 [Install]
 WantedBy=multi-user.target

diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index 0c9599db2016c7bc83d6b8975a941d9d7ff14449..3636091472831d0360568612af6fbe94a2a1021f 100644 (file)
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -18,3 +18,4 @@ WatchdogSec=3min
 PrivateTmp=yes
 ProtectSystem=yes
 ProtectHome=yes
+MemoryDenyWriteExecute=yes

diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index a856dad70933d0580ea3c438bf6b37a955e7d536..caf1dc132fa176ea23453b7964ce390033b0f899 100644 (file)
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -28,6 +28,7 @@ PrivateDevices=yes
 ProtectSystem=full
 ProtectHome=yes
 WatchdogSec=3min
+MemoryDenyWriteExecute=yes
 
 [Install]
 WantedBy=sysinit.target