units: switch on ProtectSystem=strict for our long running services

Let's step up the protection a notch

diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
index 8ae296ff2bbf013509dfc0828b1de692f81ddccd..760769191c298e261459cba29054bb3bb6c37639 100644 (file)
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@@ -20,6 +20,7 @@ ExecStart=-@rootlibexecdir@/systemd-coredump
 Nice=9
 OOMScoreAdjust=500
 PrivateNetwork=yes
-ProtectSystem=full
+ProtectSystem=strict
 RuntimeMaxSec=5min
 SystemCallArchitectures=native
+ReadWritePaths=/var/lib/systemd/coredump

diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index 8a551403cff667467d2f479ed8e80dc4d5ce70a3..6904785e4519ab3d35c81f29b1cc85b5b1804a90 100644 (file)
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -18,7 +18,7 @@ CapabilityBoundingSet=CAP_SYS_ADMIN
 PrivateTmp=yes
 PrivateDevices=yes
 PrivateNetwork=yes
-ProtectSystem=yes
+ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes
@@ -28,3 +28,4 @@ RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
 SystemCallArchitectures=native
+ReadWritePaths=/etc

diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in
index 677cb2a04b37a6e77ca4b48b61d9030a56301f8f..ecc5b56c9c77ba62da5f1d247b0c1f44cab1383c 100644 (file)
--- a/units/systemd-journal-gatewayd.service.in
+++ b/units/systemd-journal-gatewayd.service.in
@@ -18,7 +18,7 @@ SupplementaryGroups=systemd-journal
 PrivateTmp=yes
 PrivateDevices=yes
 PrivateNetwork=yes
-ProtectSystem=full
+ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes

diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in
index cab7778ddc7a5319c8d2eef0bae558fa968be5ce..323e308871e17406983748f57b7a371e477253c2 100644 (file)
--- a/units/systemd-journal-remote.service.in
+++ b/units/systemd-journal-remote.service.in
@@ -18,7 +18,7 @@ WatchdogSec=3min
 PrivateTmp=yes
 PrivateDevices=yes
 PrivateNetwork=yes
-ProtectSystem=full
+ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes
@@ -27,6 +27,7 @@ RestrictRealtime=yes
 RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 SystemCallArchitectures=native
+ReadWritePaths=/var/log/journal/remote
 
 [Install]
 Also=systemd-journal-remote.socket

diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in
index f539c7dc1f81379d3a56ca92733d3522b00ed09a..d7e0b290e9229b768a1ed5aa2629dc369092abb3 100644 (file)
--- a/units/systemd-journal-upload.service.in
+++ b/units/systemd-journal-upload.service.in
@@ -18,7 +18,7 @@ SupplementaryGroups=systemd-journal
 WatchdogSec=3min
 PrivateTmp=yes
 PrivateDevices=yes
-ProtectSystem=full
+ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes

diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
index 1b6c163ef4a5d6324fe546b39e928dc356a1fb87..d6441d9f5fad88763376ceb48f9cb2739e83087d 100644 (file)
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -18,7 +18,7 @@ CapabilityBoundingSet=
 PrivateTmp=yes
 PrivateDevices=yes
 PrivateNetwork=yes
-ProtectSystem=yes
+ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes
@@ -28,3 +28,4 @@ RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
 SystemCallArchitectures=native
+ReadWritePaths=/etc

diff --git a/units/systemd-networkd.service.m4.in b/units/systemd-networkd.service.m4.in
index 4596d31d0f474f850245d799856cc5e5c7302660..153ddeb3236d58bb70e7f1e962a61d91d9871077 100644 (file)
--- a/units/systemd-networkd.service.m4.in
+++ b/units/systemd-networkd.service.m4.in
@@ -28,7 +28,7 @@ RestartSec=0
 ExecStart=@rootlibexecdir@/systemd-networkd
 WatchdogSec=3min
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
-ProtectSystem=full
+ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 MemoryDenyWriteExecute=yes
@@ -36,6 +36,7 @@ RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
 SystemCallArchitectures=native
+ReadWritePaths=/run/systemd
 
 [Install]
 WantedBy=multi-user.target

diff --git a/units/systemd-resolved.service.m4.in b/units/systemd-resolved.service.m4.in
index dcacbdaeab200e2bc838d4746bb3338335b7072a..dfd2f4ad0aaf81d6fb13303ee58ddc7765242dc9 100644 (file)
--- a/units/systemd-resolved.service.m4.in
+++ b/units/systemd-resolved.service.m4.in
@@ -27,7 +27,7 @@ WatchdogSec=3min
 CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_NET_RAW CAP_NET_BIND_SERVICE
 PrivateTmp=yes
 PrivateDevices=yes
-ProtectSystem=full
+ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes
@@ -36,6 +36,7 @@ RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
 SystemCallArchitectures=native
+ReadWritePaths=/run/systemd
 
 [Install]
 WantedBy=multi-user.target

diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index 26756d6e017ab283f454ef305ec5f825a3c8285c..336a23129083d29fea6bcce303176b867927c115 100644 (file)
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -16,7 +16,7 @@ BusName=org.freedesktop.timedate1
 WatchdogSec=3min
 CapabilityBoundingSet=CAP_SYS_TIME
 PrivateTmp=yes
-ProtectSystem=yes
+ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes
@@ -26,3 +26,4 @@ RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX
 SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
 SystemCallArchitectures=native
+ReadWritePaths=/etc

diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index 5eb3f2362f36c69fb76c63242ee7f03506180b52..41d41806c1fcb92aeaeabcbf234e0938b1a455f2 100644 (file)
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -26,7 +26,7 @@ WatchdogSec=3min
 CapabilityBoundingSet=CAP_SYS_TIME CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
 PrivateTmp=yes
 PrivateDevices=yes
-ProtectSystem=full
+ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes
@@ -36,6 +36,7 @@ RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
 SystemCallArchitectures=native
+ReadWritePaths=/var/lib/systemd
 
 [Install]
 WantedBy=sysinit.target