From: Zbigniew Jędrzejewski-Szmek Date: Tue, 18 Dec 2018 13:02:56 +0000 (+0100) Subject: Revert "units: set NoNewPrivileges= for all long-running services" X-Git-Tag: v240~22^2~4 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=04c65645fa33a08aed5aaa0981eeed9957a206fd;p=thirdparty%2Fsystemd.git Revert "units: set NoNewPrivileges= for all long-running services" This reverts commit 3ca9940cb95cb263c6bfe5cfee72df232fe46a94. Let's split the commit in two: the sorting and the changes. Because there's a requirement to update selinux policy, this change is incompatible, strictly speaking. I expect that distributions might want to revert this particular change. Let's make it easy. --- diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in index ffcb5f36ca6..215696ecd1e 100644 --- a/units/systemd-coredump@.service.in +++ b/units/systemd-coredump@.service.in @@ -18,25 +18,24 @@ Before=shutdown.target [Service] ExecStart=-@rootlibexecdir@/systemd-coredump -IPAddressDeny=any -LockPersonality=yes -MemoryDenyWriteExecute=yes Nice=9 -NoNewPrivileges=yes OOMScoreAdjust=500 +RuntimeMaxSec=5min +PrivateTmp=yes PrivateDevices=yes PrivateNetwork=yes -PrivateTmp=yes -ProtectControlGroups=yes +ProtectSystem=strict ProtectHome=yes -ProtectKernelModules=yes +ProtectControlGroups=yes ProtectKernelTunables=yes -ProtectSystem=strict -RestrictAddressFamilies=AF_UNIX -RestrictNamespaces=yes +ProtectKernelModules=yes +MemoryDenyWriteExecute=yes RestrictRealtime=yes -RuntimeMaxSec=5min -StateDirectory=systemd/coredump -SystemCallArchitectures=native -SystemCallErrorNumber=EPERM +RestrictNamespaces=yes +RestrictAddressFamilies=AF_UNIX SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM +SystemCallArchitectures=native +LockPersonality=yes +IPAddressDeny=any +StateDirectory=systemd/coredump diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in index 9c925e80d9f..da74b4fe8b2 100644 --- a/units/systemd-hostnamed.service.in +++ b/units/systemd-hostnamed.service.in @@ -13,26 +13,25 @@ Documentation=man:systemd-hostnamed.service(8) man:hostname(5) man:machine-info( Documentation=https://www.freedesktop.org/wiki/Software/systemd/hostnamed [Service] +ExecStart=@rootlibexecdir@/systemd-hostnamed BusName=org.freedesktop.hostname1 +WatchdogSec=3min CapabilityBoundingSet=CAP_SYS_ADMIN -ExecStart=@rootlibexecdir@/systemd-hostnamed -IPAddressDeny=any -LockPersonality=yes -MemoryDenyWriteExecute=yes -NoNewPrivileges=yes +PrivateTmp=yes PrivateDevices=yes PrivateNetwork=yes -PrivateTmp=yes -ProtectControlGroups=yes +ProtectSystem=strict ProtectHome=yes -ProtectKernelModules=yes +ProtectControlGroups=yes ProtectKernelTunables=yes -ProtectSystem=strict -ReadWritePaths=/etc -RestrictAddressFamilies=AF_UNIX -RestrictNamespaces=yes +ProtectKernelModules=yes +MemoryDenyWriteExecute=yes RestrictRealtime=yes -SystemCallArchitectures=native -SystemCallErrorNumber=EPERM +RestrictNamespaces=yes +RestrictAddressFamilies=AF_UNIX SystemCallFilter=@system-service sethostname -WatchdogSec=3min +SystemCallErrorNumber=EPERM +SystemCallArchitectures=native +LockPersonality=yes +IPAddressDeny=any +ReadWritePaths=/etc diff --git a/units/systemd-initctl.service.in b/units/systemd-initctl.service.in index c2762839084..2b4b957dce3 100644 --- a/units/systemd-initctl.service.in +++ b/units/systemd-initctl.service.in @@ -13,7 +13,6 @@ Documentation=man:systemd-initctl.service(8) DefaultDependencies=no [Service] -ExecStart=@rootlibexecdir@/systemd-initctl -NoNewPrivileges=yes NotifyAccess=all +ExecStart=@rootlibexecdir@/systemd-initctl SystemCallArchitectures=native diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in index ebc8bf9a254..a51d59d1011 100644 --- a/units/systemd-journal-gatewayd.service.in +++ b/units/systemd-journal-gatewayd.service.in @@ -13,23 +13,22 @@ Documentation=man:systemd-journal-gatewayd(8) Requires=systemd-journal-gatewayd.socket [Service] -DynamicUser=yes ExecStart=@rootlibexecdir@/systemd-journal-gatewayd -LockPersonality=yes -MemoryDenyWriteExecute=yes -NoNewPrivileges=yes +User=systemd-journal-gateway +SupplementaryGroups=systemd-journal +DynamicUser=yes PrivateDevices=yes PrivateNetwork=yes -ProtectControlGroups=yes ProtectHome=yes -ProtectKernelModules=yes +ProtectControlGroups=yes ProtectKernelTunables=yes -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -RestrictNamespaces=yes +ProtectKernelModules=yes +MemoryDenyWriteExecute=yes RestrictRealtime=yes -SupplementaryGroups=systemd-journal +RestrictNamespaces=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 SystemCallArchitectures=native -User=systemd-journal-gateway +LockPersonality=yes # If there are many split up journal files we need a lot of fds to access them # all in parallel. diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in index 29a99aaec1a..fa8682cd285 100644 --- a/units/systemd-journal-remote.service.in +++ b/units/systemd-journal-remote.service.in @@ -14,24 +14,23 @@ Requires=systemd-journal-remote.socket [Service] ExecStart=@rootlibexecdir@/systemd-journal-remote --listen-https=-3 --output=/var/log/journal/remote/ -LockPersonality=yes -LogsDirectory=journal/remote -MemoryDenyWriteExecute=yes -NoNewPrivileges=yes +User=systemd-journal-remote +WatchdogSec=3min +PrivateTmp=yes PrivateDevices=yes PrivateNetwork=yes -PrivateTmp=yes -ProtectControlGroups=yes +ProtectSystem=strict ProtectHome=yes -ProtectKernelModules=yes +ProtectControlGroups=yes ProtectKernelTunables=yes -ProtectSystem=strict -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -RestrictNamespaces=yes +ProtectKernelModules=yes +MemoryDenyWriteExecute=yes RestrictRealtime=yes +RestrictNamespaces=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 SystemCallArchitectures=native -User=systemd-journal-remote -WatchdogSec=3min +LockPersonality=yes +LogsDirectory=journal/remote # If there are many split up journal files we need a lot of fds to access them # all in parallel. diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in index 92cd4e52592..1ded9908779 100644 --- a/units/systemd-journal-upload.service.in +++ b/units/systemd-journal-upload.service.in @@ -14,24 +14,23 @@ Wants=network-online.target After=network-online.target [Service] -DynamicUser=yes ExecStart=@rootlibexecdir@/systemd-journal-upload --save-state -LockPersonality=yes -MemoryDenyWriteExecute=yes -NoNewPrivileges=yes +User=systemd-journal-upload +DynamicUser=yes +SupplementaryGroups=systemd-journal +WatchdogSec=3min PrivateDevices=yes -ProtectControlGroups=yes ProtectHome=yes -ProtectKernelModules=yes +ProtectControlGroups=yes ProtectKernelTunables=yes -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -RestrictNamespaces=yes +ProtectKernelModules=yes +MemoryDenyWriteExecute=yes RestrictRealtime=yes -StateDirectory=systemd/journal-upload -SupplementaryGroups=systemd-journal +RestrictNamespaces=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 SystemCallArchitectures=native -User=systemd-journal-upload -WatchdogSec=3min +LockPersonality=yes +StateDirectory=systemd/journal-upload # If there are many split up journal files we need a lot of fds to access them # all in parallel. diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in index 4684f095c07..41cac8cf656 100644 --- a/units/systemd-journald.service.in +++ b/units/systemd-journald.service.in @@ -16,25 +16,24 @@ After=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-a Before=sysinit.target [Service] -CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE +Type=notify +Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket ExecStart=@rootlibexecdir@/systemd-journald -FileDescriptorStoreMax=4224 -IPAddressDeny=any -LockPersonality=yes -MemoryDenyWriteExecute=yes -NoNewPrivileges=yes Restart=always RestartSec=0 -RestrictAddressFamilies=AF_UNIX AF_NETLINK -RestrictNamespaces=yes -RestrictRealtime=yes -Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket StandardOutput=null -SystemCallArchitectures=native -SystemCallErrorNumber=EPERM -SystemCallFilter=@system-service -Type=notify WatchdogSec=3min +FileDescriptorStoreMax=4224 +CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +RestrictNamespaces=yes +RestrictAddressFamilies=AF_UNIX AF_NETLINK +SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM +SystemCallArchitectures=native +LockPersonality=yes +IPAddressDeny=any # If there are many split up journal files we need a lot of fds to access them # all in parallel. diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in index 01e0703d0e2..a24e61a0cdd 100644 --- a/units/systemd-localed.service.in +++ b/units/systemd-localed.service.in @@ -13,26 +13,25 @@ Documentation=man:systemd-localed.service(8) man:locale.conf(5) man:vconsole.con Documentation=https://www.freedesktop.org/wiki/Software/systemd/localed [Service] +ExecStart=@rootlibexecdir@/systemd-localed BusName=org.freedesktop.locale1 +WatchdogSec=3min CapabilityBoundingSet= -ExecStart=@rootlibexecdir@/systemd-localed -IPAddressDeny=any -LockPersonality=yes -MemoryDenyWriteExecute=yes -NoNewPrivileges=yes +PrivateTmp=yes PrivateDevices=yes PrivateNetwork=yes -PrivateTmp=yes -ProtectControlGroups=yes +ProtectSystem=strict ProtectHome=yes -ProtectKernelModules=yes +ProtectControlGroups=yes ProtectKernelTunables=yes -ProtectSystem=strict -ReadWritePaths=/etc -RestrictAddressFamilies=AF_UNIX -RestrictNamespaces=yes +ProtectKernelModules=yes +MemoryDenyWriteExecute=yes RestrictRealtime=yes -SystemCallArchitectures=native -SystemCallErrorNumber=EPERM +RestrictNamespaces=yes +RestrictAddressFamilies=AF_UNIX SystemCallFilter=@system-service -WatchdogSec=3min +SystemCallErrorNumber=EPERM +SystemCallArchitectures=native +LockPersonality=yes +IPAddressDeny=any +ReadWritePaths=/etc diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in index 38a7f269aca..961263f6071 100644 --- a/units/systemd-logind.service.in +++ b/units/systemd-logind.service.in @@ -20,23 +20,22 @@ Wants=dbus.socket After=dbus.socket [Service] -BusName=org.freedesktop.login1 -CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG ExecStart=@rootlibexecdir@/systemd-logind -FileDescriptorStoreMax=512 -IPAddressDeny=any -LockPersonality=yes -MemoryDenyWriteExecute=yes -NoNewPrivileges=yes Restart=always RestartSec=0 -RestrictAddressFamilies=AF_UNIX AF_NETLINK -RestrictNamespaces=yes +BusName=org.freedesktop.login1 +WatchdogSec=3min +CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG +MemoryDenyWriteExecute=yes RestrictRealtime=yes -SystemCallArchitectures=native -SystemCallErrorNumber=EPERM +RestrictNamespaces=yes +RestrictAddressFamilies=AF_UNIX AF_NETLINK SystemCallFilter=@system-service -WatchdogSec=3min +SystemCallErrorNumber=EPERM +SystemCallArchitectures=native +LockPersonality=yes +IPAddressDeny=any +FileDescriptorStoreMax=512 # Increase the default a bit in order to allow many simultaneous logins since # we keep one fd open per session. diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in index 9f1476814df..1200a90a61a 100644 --- a/units/systemd-machined.service.in +++ b/units/systemd-machined.service.in @@ -16,19 +16,18 @@ After=machine.slice RequiresMountsFor=/var/lib/machines [Service] +ExecStart=@rootlibexecdir@/systemd-machined BusName=org.freedesktop.machine1 +WatchdogSec=3min CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD -ExecStart=@rootlibexecdir@/systemd-machined -IPAddressDeny=any -LockPersonality=yes MemoryDenyWriteExecute=yes -NoNewPrivileges=yes -RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 RestrictRealtime=yes -SystemCallArchitectures=native -SystemCallErrorNumber=EPERM +RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 SystemCallFilter=@system-service @mount -WatchdogSec=3min +SystemCallErrorNumber=EPERM +SystemCallArchitectures=native +LockPersonality=yes +IPAddressDeny=any # Note that machined cannot be placed in a mount namespace, since it # needs access to the host's mount namespace in order to implement the diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in index 472ef045de9..65d3e2a6604 100644 --- a/units/systemd-networkd.service.in +++ b/units/systemd-networkd.service.in @@ -19,29 +19,28 @@ Conflicts=shutdown.target Wants=network.target [Service] -AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW -CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW +Type=notify +Restart=on-failure +RestartSec=0 ExecStart=!!@rootlibexecdir@/systemd-networkd -LockPersonality=yes -MemoryDenyWriteExecute=yes -NoNewPrivileges=yes -ProtectControlGroups=yes +WatchdogSec=3min +User=systemd-network +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW +AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW +ProtectSystem=strict ProtectHome=yes +ProtectControlGroups=yes ProtectKernelModules=yes -ProtectSystem=strict -Restart=on-failure -RestartSec=0 -RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET -RestrictNamespaces=yes +MemoryDenyWriteExecute=yes RestrictRealtime=yes +RestrictNamespaces=yes +RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET +SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM +SystemCallArchitectures=native +LockPersonality=yes RuntimeDirectory=systemd/netif RuntimeDirectoryPreserve=yes -SystemCallArchitectures=native -SystemCallErrorNumber=EPERM -SystemCallFilter=@system-service -Type=notify -User=systemd-network -WatchdogSec=3min [Install] WantedBy=multi-user.target diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in index 3144b70063e..ef5398cbf07 100644 --- a/units/systemd-resolved.service.in +++ b/units/systemd-resolved.service.in @@ -20,32 +20,31 @@ Conflicts=shutdown.target Wants=nss-lookup.target [Service] -AmbientCapabilities=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE -CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE +Type=notify +Restart=always +RestartSec=0 ExecStart=!!@rootlibexecdir@/systemd-resolved -LockPersonality=yes -MemoryDenyWriteExecute=yes -NoNewPrivileges=yes -PrivateDevices=yes +WatchdogSec=3min +User=systemd-resolve +CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE PrivateTmp=yes -ProtectControlGroups=yes +PrivateDevices=yes +ProtectSystem=strict ProtectHome=yes -ProtectKernelModules=yes +ProtectControlGroups=yes ProtectKernelTunables=yes -ProtectSystem=strict -Restart=always -RestartSec=0 -RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 -RestrictNamespaces=yes +ProtectKernelModules=yes +MemoryDenyWriteExecute=yes RestrictRealtime=yes +RestrictNamespaces=yes +RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 +SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM +SystemCallArchitectures=native +LockPersonality=yes RuntimeDirectory=systemd/resolve RuntimeDirectoryPreserve=yes -SystemCallArchitectures=native -SystemCallErrorNumber=EPERM -SystemCallFilter=@system-service -Type=notify -User=systemd-resolve -WatchdogSec=3min [Install] WantedBy=multi-user.target diff --git a/units/systemd-rfkill.service.in b/units/systemd-rfkill.service.in index 3abb958310d..4b68f0b5a77 100644 --- a/units/systemd-rfkill.service.in +++ b/units/systemd-rfkill.service.in @@ -17,8 +17,7 @@ After=sys-devices-virtual-misc-rfkill.device systemd-remount-fs.service Before=shutdown.target [Service] +Type=notify ExecStart=@rootlibexecdir@/systemd-rfkill -NoNewPrivileges=yes -StateDirectory=systemd/rfkill TimeoutSec=30s -Type=notify +StateDirectory=systemd/rfkill diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in index 6d530241957..906bb4326ca 100644 --- a/units/systemd-timedated.service.in +++ b/units/systemd-timedated.service.in @@ -13,24 +13,23 @@ Documentation=man:systemd-timedated.service(8) man:localtime(5) Documentation=https://www.freedesktop.org/wiki/Software/systemd/timedated [Service] +ExecStart=@rootlibexecdir@/systemd-timedated BusName=org.freedesktop.timedate1 +WatchdogSec=3min CapabilityBoundingSet=CAP_SYS_TIME -ExecStart=@rootlibexecdir@/systemd-timedated -IPAddressDeny=any -LockPersonality=yes -MemoryDenyWriteExecute=yes -NoNewPrivileges=yes PrivateTmp=yes -ProtectControlGroups=yes +ProtectSystem=strict ProtectHome=yes -ProtectKernelModules=yes +ProtectControlGroups=yes ProtectKernelTunables=yes -ProtectSystem=strict -ReadWritePaths=/etc -RestrictAddressFamilies=AF_UNIX -RestrictNamespaces=yes +ProtectKernelModules=yes +MemoryDenyWriteExecute=yes RestrictRealtime=yes -SystemCallArchitectures=native -SystemCallErrorNumber=EPERM +RestrictNamespaces=yes +RestrictAddressFamilies=AF_UNIX SystemCallFilter=@system-service @clock -WatchdogSec=3min +SystemCallErrorNumber=EPERM +SystemCallArchitectures=native +LockPersonality=yes +IPAddressDeny=any +ReadWritePaths=/etc diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in index 03ade45d086..12f918dd11b 100644 --- a/units/systemd-timesyncd.service.in +++ b/units/systemd-timesyncd.service.in @@ -19,32 +19,31 @@ Conflicts=shutdown.target Wants=time-sync.target [Service] -AmbientCapabilities=CAP_SYS_TIME -CapabilityBoundingSet=CAP_SYS_TIME +Type=notify +Restart=always +RestartSec=0 ExecStart=!!@rootlibexecdir@/systemd-timesyncd -LockPersonality=yes -MemoryDenyWriteExecute=yes -NoNewPrivileges=yes -PrivateDevices=yes +WatchdogSec=3min +User=systemd-timesync +CapabilityBoundingSet=CAP_SYS_TIME +AmbientCapabilities=CAP_SYS_TIME PrivateTmp=yes -ProtectControlGroups=yes +PrivateDevices=yes +ProtectSystem=strict ProtectHome=yes -ProtectKernelModules=yes +ProtectControlGroups=yes ProtectKernelTunables=yes -ProtectSystem=strict -Restart=always -RestartSec=0 -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -RestrictNamespaces=yes +ProtectKernelModules=yes +MemoryDenyWriteExecute=yes RestrictRealtime=yes +RestrictNamespaces=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RuntimeDirectory=systemd/timesync -StateDirectory=systemd/timesync -SystemCallArchitectures=native -SystemCallErrorNumber=EPERM SystemCallFilter=@system-service @clock -Type=notify -User=systemd-timesync -WatchdogSec=3min +SystemCallErrorNumber=EPERM +SystemCallArchitectures=native +LockPersonality=yes +StateDirectory=systemd/timesync [Install] WantedBy=sysinit.target