units: set LockPersonality= for all our long-running services (#6819)

Let's lock things down. Also, using it is the only way how to properly
test this to the fullest extent.

diff --git a/TODO b/TODO
index e65733e33405563eb23d8eaa9c506c78314c04a6..cabba100a521ad08eee4af7a93dab0d0c2bb04cb 100644 (file)
--- a/TODO
+++ b/TODO
@@ -27,8 +27,6 @@ Features:
 * dissect: when we discover squashfs, don't claim we had a "writable" partition
   in systemd-dissect
 
-* set LockPersonality= on all our services
-
 * Add AddUser= setting to unit files, similar to DynamicUser=1 which however
   creates a static, persistent user rather than a dynamic, transient user. We
   can leverage code from sysusers.d for this.

diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
index c699a80f3428297f78343762f4f40d8177c45364..d7eaf3398e7070bee39ddb7e173c7f71ef43fcf5 100644 (file)
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@@ -33,4 +33,5 @@ RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
+LockPersonality=yes
 StateDirectory=systemd/coredump

diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index d29e9ff81be325c849bbebddecdb02b6d5dec99c..9bb5ad8cac002f6c72edf1ba2097c179cfcb6367 100644 (file)
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -29,4 +29,5 @@ RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
+LockPersonality=yes
 ReadWritePaths=/etc

diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in
index 58762055eb6a569c8e1187ac7fce9ed3c77fbdc8..695a5f21cb0066b13d23642e10ca5c996c5c3e03 100644 (file)
--- a/units/systemd-importd.service.in
+++ b/units/systemd-importd.service.in
@@ -23,3 +23,4 @@ RestrictNamespaces=net
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
+LockPersonality=yes

diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in
index fd7a9718f7391ebed8442ec565990ba3c9f3cb51..b24d698c8a373c94db6dc35d0838f76c28a6ad1b 100644 (file)
--- a/units/systemd-journal-gatewayd.service.in
+++ b/units/systemd-journal-gatewayd.service.in
@@ -25,6 +25,7 @@ RestrictRealtime=yes
 RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 SystemCallArchitectures=native
+LockPersonality=yes
 
 # If there are many split upjournal files we need a lot of fds to
 # access them all and combine

diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in
index c24e673d8251ddb20676e6b7f8d3fc8db4aa53b3..92cec21c2fbe8978b8f7e6726a090a4c953c5069 100644 (file)
--- a/units/systemd-journal-remote.service.in
+++ b/units/systemd-journal-remote.service.in
@@ -27,6 +27,7 @@ RestrictRealtime=yes
 RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 SystemCallArchitectures=native
+LockPersonality=yes
 LogsDirectory=journal/remote
 
 [Install]

diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in
index b0bee3925e3194987ff78897d5cdfbe1ebd971a8..98a4b2bb7af15e62c860d6dcad46366a66a59187 100644 (file)
--- a/units/systemd-journal-upload.service.in
+++ b/units/systemd-journal-upload.service.in
@@ -28,6 +28,7 @@ RestrictRealtime=yes
 RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 SystemCallArchitectures=native
+LockPersonality=yes
 StateDirectory=systemd/journal-upload
 
 # If there are many split up journal files we need a lot of fds to

diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index 1e86d636485618cdf74fe27fc885a3fbcac97b6b..07e03e736ef7cae33997a9334aec9bf6e537dfae 100644 (file)
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -29,6 +29,7 @@ RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
+LockPersonality=yes
 
 # Increase the default a bit in order to allow many simultaneous
 # services being run since we keep one fd open per service. Also, when

diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
index 90a913881acdd5924e288760798398eeb6f7964f..1366fa791069cc4eff509bb2670391285b15c2f5 100644 (file)
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -29,4 +29,5 @@ RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
+LockPersonality=yes
 ReadWritePaths=/etc

diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index f851373658bad3658a383457030b07497629f656..f6daf7755cd1ccbc08692e528cb1922d774131a4 100644 (file)
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -30,6 +30,7 @@ RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
+LockPersonality=yes
 FileDescriptorStoreMax=512
 
 # Increase the default a bit in order to allow many simultaneous

diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
index a4f86aa7c87de98b676c689ae711329963d2a150..fb4df3829310f3e1bde8a5cde7f9460c71e2633b 100644 (file)
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -23,6 +23,7 @@ RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
+LockPersonality=yes
 
 # Note that machined cannot be placed in a mount namespace, since it
 # needs access to the host's mount namespace in order to implement the

diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
index 3f0ad77b7d2a9b0f1afcffbb1017ca08810ad237..932dd63964983f0441dffc963f0af36652d6a1d6 100644 (file)
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -34,6 +34,7 @@ RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
+LockPersonality=yes
 RuntimeDirectory=systemd/netif
 RuntimeDirectoryPreserve=yes
 

diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
index ba8d3f6bb1656e1760c09cb00626a09ca6ec9cf0..cda83ee9666ceb2a704700ea3cb4dce205248094 100644 (file)
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@@ -36,6 +36,7 @@ RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
+LockPersonality=yes
 RuntimeDirectory=systemd/resolve
 RuntimeDirectoryPreserve=yes
 

diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index 2b5f0744c9bfa7e7752bbaa896c5cf8c53136b0e..9fca1d1905d039a5e1c7813fa953ee1acdb7f146 100644 (file)
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -27,4 +27,5 @@ RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX
 SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
+LockPersonality=yes
 ReadWritePaths=/etc

diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index a6e14d24d1384c1bb97f29040020eec9903c001d..8d3f46cf5e227942f24a1b7b8567648c9239f177 100644 (file)
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -38,6 +38,7 @@ RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
+LockPersonality=yes
 StateDirectory=systemd/timesync
 
 [Install]

diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
index 3b92c6a8662cb760d870bdf58c225b1cae59761a..d3d13ed7cf2ef3291267fb5b02d4e0a3f3277f58 100644 (file)
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@@ -28,3 +28,4 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 SystemCallArchitectures=native
+LockPersonality=yes