units: set ProtectKernelLogs=yes on relevant units

author Kevin Kuehler <keur@xcf.berkeley.edu>

Thu, 14 Nov 2019 00:56:23 +0000 (16:56 -0800)

committer Kevin Kuehler <keur@xcf.berkeley.edu>

Fri, 15 Nov 2019 08:59:54 +0000 (00:59 -0800)
author Kevin Kuehler <keur@xcf.berkeley.edu>
Thu, 14 Nov 2019 00:56:23 +0000 (16:56 -0800)
committer Kevin Kuehler <keur@xcf.berkeley.edu>
Fri, 15 Nov 2019 08:59:54 +0000 (00:59 -0800)
diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in

index afb2ab9d17352e453186ebca8a61d888c24ec7fa..951faa62a161b7357a85b441e764459eab4c36d2 100644 (file)
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@@ -32,6 +32,7 @@ ProtectHome=yes
  ProtectHostname=yes
  ProtectKernelModules=yes
  ProtectKernelTunables=yes
+ProtectKernelLogs=yes
  ProtectSystem=strict
  RestrictAddressFamilies=AF_UNIX
  RestrictNamespaces=yes
diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in

index 1fbbafdd6f0ec8a63552fbb937701b29974323ef..1365d749ca48bb9d553589c8820bb975170d1491 100644 (file)
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -27,6 +27,7 @@ ProtectControlGroups=yes
  ProtectHome=yes
  ProtectKernelModules=yes
  ProtectKernelTunables=yes
+ProtectKernelLogs=yes
  ProtectSystem=strict
  ReadWritePaths=/etc
  RestrictAddressFamilies=AF_UNIX
diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in

index 50f774512b8c7d1fced3fb670c4e88dc634ec1a6..8071395e680339d35ed07f002fcd5989e98a66d5 100644 (file)
--- a/units/systemd-journal-gatewayd.service.in
+++ b/units/systemd-journal-gatewayd.service.in
@@ -24,6 +24,7 @@ ProtectHome=yes
  ProtectHostname=yes
  ProtectKernelModules=yes
  ProtectKernelTunables=yes
+ProtectKernelLogs=yes
  RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
  RestrictNamespaces=yes
  RestrictRealtime=yes
diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in

index 7f5238802ff933ca20280d683364f5a704e86032..6181d15d7776f6a61429b342595501c0c5dbcd0c 100644 (file)
--- a/units/systemd-journal-remote.service.in
+++ b/units/systemd-journal-remote.service.in
@@ -26,6 +26,7 @@ ProtectHome=yes
  ProtectHostname=yes
  ProtectKernelModules=yes
  ProtectKernelTunables=yes
+ProtectKernelLogs=yes
  ProtectSystem=strict
  RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
  RestrictNamespaces=yes
diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in

index 33ef3b8dcad4c79c04dc419cb1f543b5d67348bf..2f1cce85187fb159118097d8be8733d9c5fea3ba 100644 (file)
--- a/units/systemd-journal-upload.service.in
+++ b/units/systemd-journal-upload.service.in
@@ -24,6 +24,7 @@ ProtectHome=yes
  ProtectHostname=yes
  ProtectKernelModules=yes
  ProtectKernelTunables=yes
+ProtectKernelLogs=yes
  RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
  RestrictNamespaces=yes
  RestrictRealtime=yes
diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in

index f9a81fa8ddd58058f08c0a92c8d34e89d9180a37..10ecff5184a77a88c657616cd8d86e5ce48cf64f 100644 (file)
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -28,6 +28,7 @@ ProtectHome=yes
  ProtectHostname=yes
  ProtectKernelModules=yes
  ProtectKernelTunables=yes
+ProtectKernelLogs=yes
  ProtectSystem=strict
  ReadWritePaths=/etc
  RestrictAddressFamilies=AF_UNIX
diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in

index ef802a4e6f3629478fd22807b6a2d18288288c31..ccbe6315860d0107b40f8f511587fa03e3dbc12b 100644 (file)
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -41,6 +41,7 @@ ProtectControlGroups=yes
  ProtectHome=yes
  ProtectHostname=yes
  ProtectKernelModules=yes
+ProtectKernelLogs=yes
  ProtectSystem=strict
  ReadWritePaths=/etc /run
  Restart=always
diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in

index 3db0281f81dcb5f8589f5cd2c49b3cc4b93c6bc9..fa344d487dafe76cce70179423cae2c730850e2c 100644 (file)
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -24,6 +24,7 @@ LockPersonality=yes
  MemoryDenyWriteExecute=yes
  NoNewPrivileges=yes
  ProtectHostname=yes
+ProtectKernelLogs=yes
  RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
  RestrictRealtime=yes
  SystemCallArchitectures=native
diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in

index ed985f64fa56729d30bc59e0593e645a3042395d..01931665a494bca3796c7e4215c73b74942da092 100644 (file)
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -29,6 +29,7 @@ NoNewPrivileges=yes
  ProtectControlGroups=yes
  ProtectHome=yes
  ProtectKernelModules=yes
+ProtectKernelLogs=yes
  ProtectSystem=strict
  Restart=on-failure
  RestartSec=0
diff --git a/units/systemd-portabled.service.in b/units/systemd-portabled.service.in

index fb79f454fd99593c06a2cdccd99e626939a346f4..3051fbd3d07bf315b776f6d697dbb3f4226c0c36 100644 (file)
--- a/units/systemd-portabled.service.in
+++ b/units/systemd-portabled.service.in
@@ -18,6 +18,7 @@ BusName=org.freedesktop.portable1
  CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD
  MemoryDenyWriteExecute=yes
  ProtectHostname=yes
+ProtectKernelLogs=yes
  RestrictRealtime=yes
  RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
  SystemCallFilter=@system-service @mount
diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in

index 22cb20236379aa8ac3515ca2cf095c3a0a6f7fda..f73697832ccec4d3f35a726c2df189329932b40c 100644 (file)
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@@ -32,6 +32,7 @@ ProtectControlGroups=yes
  ProtectHome=yes
  ProtectKernelModules=yes
  ProtectKernelTunables=yes
+ProtectKernelLogs=yes
  ProtectSystem=strict
  Restart=always
  RestartSec=0
diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in

index 819cb4dba290bedd67906063d9c708b5f4b2917d..87859f4aef316765b8ea4e626e39222b88f40b60 100644 (file)
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -27,6 +27,7 @@ ProtectHome=yes
  ProtectHostname=yes
  ProtectKernelModules=yes
  ProtectKernelTunables=yes
+ProtectKernelLogs=yes
  ProtectSystem=strict
  ReadWritePaths=/etc
  RestrictAddressFamilies=AF_UNIX
diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in

index 1a866fcc7a8ea8e76f5db17ebe7545097d8dfd7e..f0486a70ab7def2d2c7225dc9c05ae9e43c8094e 100644 (file)
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -32,6 +32,7 @@ ProtectHome=yes
  ProtectHostname=yes
  ProtectKernelModules=yes
  ProtectKernelTunables=yes
+ProtectKernelLogs=yes
  ProtectSystem=strict
  Restart=always
  RestartSec=0
author	Kevin Kuehler <keur@xcf.berkeley.edu>
	Thu, 14 Nov 2019 00:56:23 +0000 (16:56 -0800)
committer	Kevin Kuehler <keur@xcf.berkeley.edu>
	Fri, 15 Nov 2019 08:59:54 +0000 (00:59 -0800)
units/systemd-coredump@.service.in		patch \| blob \| blame \| history
units/systemd-hostnamed.service.in		patch \| blob \| blame \| history
units/systemd-journal-gatewayd.service.in		patch \| blob \| blame \| history
units/systemd-journal-remote.service.in		patch \| blob \| blame \| history
units/systemd-journal-upload.service.in		patch \| blob \| blame \| history
units/systemd-localed.service.in		patch \| blob \| blame \| history
units/systemd-logind.service.in		patch \| blob \| blame \| history
units/systemd-machined.service.in		patch \| blob \| blame \| history
units/systemd-networkd.service.in		patch \| blob \| blame \| history
units/systemd-portabled.service.in		patch \| blob \| blame \| history
units/systemd-resolved.service.in		patch \| blob \| blame \| history
units/systemd-timedated.service.in		patch \| blob \| blame \| history
units/systemd-timesyncd.service.in		patch \| blob \| blame \| history