units: turn on ProtectKernelModules= for most long-running services

diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
index 760769191c298e261459cba29054bb3bb6c37639..f12b28d6a6ba0c8f38e60c3400d8dfbfa14e851f 100644 (file)
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@@ -24,3 +24,4 @@ ProtectSystem=strict
 RuntimeMaxSec=5min
 SystemCallArchitectures=native
 ReadWritePaths=/var/lib/systemd/coredump
+ProtectKernelModules=yes

diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index 6904785e4519ab3d35c81f29b1cc85b5b1804a90..85410adc72bb671796968244ee737a74519290d8 100644 (file)
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -22,6 +22,7 @@ ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes
+ProtectKernelModules=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes

diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in
index ecc5b56c9c77ba62da5f1d247b0c1f44cab1383c..99099967e7384c493666b34edcdeedc85f11723c 100644 (file)
--- a/units/systemd-journal-gatewayd.service.in
+++ b/units/systemd-journal-gatewayd.service.in
@@ -22,6 +22,7 @@ ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes
+ProtectKernelModules=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes

diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in
index 323e308871e17406983748f57b7a371e477253c2..5404bf1c035bb884e3ba60c52aea5d9f34dd604e 100644 (file)
--- a/units/systemd-journal-remote.service.in
+++ b/units/systemd-journal-remote.service.in
@@ -22,6 +22,7 @@ ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes
+ProtectKernelModules=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes

diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in
index d7e0b290e9229b768a1ed5aa2629dc369092abb3..b9eab2154280b57c2b3b746fa1a95fd59f15e644 100644 (file)
--- a/units/systemd-journal-upload.service.in
+++ b/units/systemd-journal-upload.service.in
@@ -22,6 +22,7 @@ ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes
+ProtectKernelModules=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes

diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
index d6441d9f5fad88763376ceb48f9cb2739e83087d..a41e30bfdf55e200ab52fdb20e12a899c70442ee 100644 (file)
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -22,6 +22,7 @@ ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes
+ProtectKernelModules=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes

diff --git a/units/systemd-networkd.service.m4.in b/units/systemd-networkd.service.m4.in
index 153ddeb3236d58bb70e7f1e962a61d91d9871077..d33deb97b6361b3b8dfd6b5d92202301b51c5733 100644 (file)
--- a/units/systemd-networkd.service.m4.in
+++ b/units/systemd-networkd.service.m4.in
@@ -31,6 +31,7 @@ CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_N
 ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
+ProtectKernelModules=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET

diff --git a/units/systemd-resolved.service.m4.in b/units/systemd-resolved.service.m4.in
index dfd2f4ad0aaf81d6fb13303ee58ddc7765242dc9..08f0a85aea3c5ea27fbaeaa45921eb09a873913e 100644 (file)
--- a/units/systemd-resolved.service.m4.in
+++ b/units/systemd-resolved.service.m4.in
@@ -31,6 +31,7 @@ ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes
+ProtectKernelModules=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6

diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index 336a23129083d29fea6bcce303176b867927c115..2881e122dc9e33171f78c37f7cf3f8999b2310d2 100644 (file)
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -20,6 +20,7 @@ ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes
+ProtectKernelModules=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes

diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index 41d41806c1fcb92aeaeabcbf234e0938b1a455f2..ab48a7aa30274b214e76cfa575eedaf908c4d1d9 100644 (file)
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -30,6 +30,7 @@ ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes
+ProtectKernelModules=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes