]> git.ipfire.org Git - thirdparty/systemd.git/commitdiff
projects / thirdparty / systemd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 924453c)
units: make use of @reboot and @swap in our long-running service SystemCallFilter... 5283/head
authorLennart Poettering <lennart@poettering.net>
Thu, 9 Feb 2017 10:22:08 +0000 (11:22 +0100)
committerLennart Poettering <lennart@poettering.net>
Thu, 9 Feb 2017 15:12:03 +0000 (16:12 +0100)
Tighten security up a bit more.

units/systemd-hostnamed.service.in patch | blob | blame | history
units/systemd-importd.service.in patch | blob | blame | history
units/systemd-journald.service.in patch | blob | blame | history
units/systemd-localed.service.in patch | blob | blame | history
units/systemd-logind.service.in patch | blob | blame | history
units/systemd-machined.service.in patch | blob | blame | history
units/systemd-networkd.service.m4.in patch | blob | blame | history
units/systemd-resolved.service.m4.in patch | blob | blame | history
units/systemd-timedated.service.in patch | blob | blame | history
units/systemd-timesyncd.service.in patch | blob | blame | history

diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index 85410adc72bb671796968244ee737a74519290d8..01a8ec9f57367e5232cc6a3b5531d7ef0f5c8e31 100644 (file)
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -27,6 +27,6 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX
-SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
 ReadWritePaths=/etc
diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in
index de2431739ff85bdf89ec17977805b7244e11d396..75585d5dbcc4a21b74f8abaabe47d559a6d7f9e6 100644 (file)
--- a/units/systemd-importd.service.in
+++ b/units/systemd-importd.service.in
@@ -21,5 +21,5 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=net
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
-SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index adabedd977b2b2f3ee482413ecf4d494d0369a66..64253f59d4c9df4650d8cab0c53741dc1018db94 100644 (file)
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -28,7 +28,7 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK
-SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
 
 # Increase the default a bit in order to allow many simultaneous
diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
index a41e30bfdf55e200ab52fdb20e12a899c70442ee..f76012a34c8b54b6847cb194b1bac4eb89bbada1 100644 (file)
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -27,6 +27,6 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX
-SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
 ReadWritePaths=/etc
diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index 93abeb3dca03a8054c76e6045ffef6e2d88e5249..e20a3ad05767484d98dda30ce83895ad1ea0c8cd 100644 (file)
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -29,7 +29,7 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
-SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
 
 # Increase the default a bit in order to allow many simultaneous
diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
index 3c46d04f64eab223816a29b2c76f0c286838e687..0b0bbf272cd7530d507153e35beadced31d68a8c 100644 (file)
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -20,7 +20,7 @@ CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_C
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
-SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
 
 # Note that machined cannot be placed in a mount namespace, since it
diff --git a/units/systemd-networkd.service.m4.in b/units/systemd-networkd.service.m4.in
index d33deb97b6361b3b8dfd6b5d92202301b51c5733..c3f153046a88c0575f5f68df4cdd58ddb1298d0a 100644 (file)
--- a/units/systemd-networkd.service.m4.in
+++ b/units/systemd-networkd.service.m4.in
@@ -35,7 +35,7 @@ ProtectKernelModules=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
-SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
 ReadWritePaths=/run/systemd
 
diff --git a/units/systemd-resolved.service.m4.in b/units/systemd-resolved.service.m4.in
index 08f0a85aea3c5ea27fbaeaa45921eb09a873913e..820e299168c2c5a614fd576a04ae5281ba806a4c 100644 (file)
--- a/units/systemd-resolved.service.m4.in
+++ b/units/systemd-resolved.service.m4.in
@@ -35,7 +35,7 @@ ProtectKernelModules=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
-SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
 ReadWritePaths=/run/systemd
 
diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index 2881e122dc9e33171f78c37f7cf3f8999b2310d2..f691f47517209d67d59ba27fa13403bf80df7031 100644 (file)
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -25,6 +25,6 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX
-SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
+SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
 ReadWritePaths=/etc
diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index ab48a7aa30274b214e76cfa575eedaf908c4d1d9..8d328bb80a41326aa2470dff90841bd85b7c289c 100644 (file)
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -35,7 +35,7 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
-SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
+SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
 ReadWritePaths=/var/lib/systemd
 
Unnamed repository; edit this file 'description' to name the repository.