From: Lennart Poettering Date: Mon, 12 Nov 2018 16:19:48 +0000 (+0100) Subject: units: set NoNewPrivileges= for all long-running services X-Git-Tag: v240~343 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3ca9940cb95cb263c6bfe5cfee72df232fe46a94;p=thirdparty%2Fsystemd.git units: set NoNewPrivileges= for all long-running services Previously, setting this option by default was problematic due to SELinux (as this would also prohibit the transition from PID1's label to the service's label). However, this restriction has since been lifted, hence let's start making use of this universally in our services. On SELinux system this change should be synchronized with a policy update that ensures that NNP-ful transitions from init_t to service labels is permitted. An while we are at it: sort the settings in the unit files this touches. This might increase the size of the change in this case, but hopefully should result in stabler patches later on. Fixes: #1219 --- diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in index 215696ecd1e..ffcb5f36ca6 100644 --- a/units/systemd-coredump@.service.in +++ b/units/systemd-coredump@.service.in @@ -18,24 +18,25 @@ Before=shutdown.target [Service] ExecStart=-@rootlibexecdir@/systemd-coredump +IPAddressDeny=any +LockPersonality=yes +MemoryDenyWriteExecute=yes Nice=9 +NoNewPrivileges=yes OOMScoreAdjust=500 -RuntimeMaxSec=5min -PrivateTmp=yes PrivateDevices=yes PrivateNetwork=yes -ProtectSystem=strict -ProtectHome=yes +PrivateTmp=yes ProtectControlGroups=yes -ProtectKernelTunables=yes +ProtectHome=yes ProtectKernelModules=yes -MemoryDenyWriteExecute=yes -RestrictRealtime=yes -RestrictNamespaces=yes +ProtectKernelTunables=yes +ProtectSystem=strict RestrictAddressFamilies=AF_UNIX -SystemCallFilter=@system-service -SystemCallErrorNumber=EPERM -SystemCallArchitectures=native -LockPersonality=yes -IPAddressDeny=any +RestrictNamespaces=yes +RestrictRealtime=yes +RuntimeMaxSec=5min StateDirectory=systemd/coredump +SystemCallArchitectures=native +SystemCallErrorNumber=EPERM +SystemCallFilter=@system-service diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in index da74b4fe8b2..9c925e80d9f 100644 --- a/units/systemd-hostnamed.service.in +++ b/units/systemd-hostnamed.service.in @@ -13,25 +13,26 @@ Documentation=man:systemd-hostnamed.service(8) man:hostname(5) man:machine-info( Documentation=https://www.freedesktop.org/wiki/Software/systemd/hostnamed [Service] -ExecStart=@rootlibexecdir@/systemd-hostnamed BusName=org.freedesktop.hostname1 -WatchdogSec=3min CapabilityBoundingSet=CAP_SYS_ADMIN -PrivateTmp=yes +ExecStart=@rootlibexecdir@/systemd-hostnamed +IPAddressDeny=any +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes PrivateDevices=yes PrivateNetwork=yes -ProtectSystem=strict -ProtectHome=yes +PrivateTmp=yes ProtectControlGroups=yes -ProtectKernelTunables=yes +ProtectHome=yes ProtectKernelModules=yes -MemoryDenyWriteExecute=yes -RestrictRealtime=yes -RestrictNamespaces=yes +ProtectKernelTunables=yes +ProtectSystem=strict +ReadWritePaths=/etc RestrictAddressFamilies=AF_UNIX -SystemCallFilter=@system-service sethostname -SystemCallErrorNumber=EPERM +RestrictNamespaces=yes +RestrictRealtime=yes SystemCallArchitectures=native -LockPersonality=yes -IPAddressDeny=any -ReadWritePaths=/etc +SystemCallErrorNumber=EPERM +SystemCallFilter=@system-service sethostname +WatchdogSec=3min diff --git a/units/systemd-initctl.service.in b/units/systemd-initctl.service.in index 2b4b957dce3..c2762839084 100644 --- a/units/systemd-initctl.service.in +++ b/units/systemd-initctl.service.in @@ -13,6 +13,7 @@ Documentation=man:systemd-initctl.service(8) DefaultDependencies=no [Service] -NotifyAccess=all ExecStart=@rootlibexecdir@/systemd-initctl +NoNewPrivileges=yes +NotifyAccess=all SystemCallArchitectures=native diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in index a51d59d1011..ebc8bf9a254 100644 --- a/units/systemd-journal-gatewayd.service.in +++ b/units/systemd-journal-gatewayd.service.in @@ -13,22 +13,23 @@ Documentation=man:systemd-journal-gatewayd(8) Requires=systemd-journal-gatewayd.socket [Service] -ExecStart=@rootlibexecdir@/systemd-journal-gatewayd -User=systemd-journal-gateway -SupplementaryGroups=systemd-journal DynamicUser=yes +ExecStart=@rootlibexecdir@/systemd-journal-gatewayd +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes PrivateDevices=yes PrivateNetwork=yes -ProtectHome=yes ProtectControlGroups=yes -ProtectKernelTunables=yes +ProtectHome=yes ProtectKernelModules=yes -MemoryDenyWriteExecute=yes -RestrictRealtime=yes -RestrictNamespaces=yes +ProtectKernelTunables=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +SupplementaryGroups=systemd-journal SystemCallArchitectures=native -LockPersonality=yes +User=systemd-journal-gateway # If there are many split up journal files we need a lot of fds to access them # all in parallel. diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in index fa8682cd285..29a99aaec1a 100644 --- a/units/systemd-journal-remote.service.in +++ b/units/systemd-journal-remote.service.in @@ -14,23 +14,24 @@ Requires=systemd-journal-remote.socket [Service] ExecStart=@rootlibexecdir@/systemd-journal-remote --listen-https=-3 --output=/var/log/journal/remote/ -User=systemd-journal-remote -WatchdogSec=3min -PrivateTmp=yes +LockPersonality=yes +LogsDirectory=journal/remote +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes PrivateDevices=yes PrivateNetwork=yes -ProtectSystem=strict -ProtectHome=yes +PrivateTmp=yes ProtectControlGroups=yes -ProtectKernelTunables=yes +ProtectHome=yes ProtectKernelModules=yes -MemoryDenyWriteExecute=yes -RestrictRealtime=yes -RestrictNamespaces=yes +ProtectKernelTunables=yes +ProtectSystem=strict RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes SystemCallArchitectures=native -LockPersonality=yes -LogsDirectory=journal/remote +User=systemd-journal-remote +WatchdogSec=3min # If there are many split up journal files we need a lot of fds to access them # all in parallel. diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in index 1ded9908779..92cd4e52592 100644 --- a/units/systemd-journal-upload.service.in +++ b/units/systemd-journal-upload.service.in @@ -14,23 +14,24 @@ Wants=network-online.target After=network-online.target [Service] -ExecStart=@rootlibexecdir@/systemd-journal-upload --save-state -User=systemd-journal-upload DynamicUser=yes -SupplementaryGroups=systemd-journal -WatchdogSec=3min +ExecStart=@rootlibexecdir@/systemd-journal-upload --save-state +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes PrivateDevices=yes -ProtectHome=yes ProtectControlGroups=yes -ProtectKernelTunables=yes +ProtectHome=yes ProtectKernelModules=yes -MemoryDenyWriteExecute=yes -RestrictRealtime=yes -RestrictNamespaces=yes +ProtectKernelTunables=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -SystemCallArchitectures=native -LockPersonality=yes +RestrictNamespaces=yes +RestrictRealtime=yes StateDirectory=systemd/journal-upload +SupplementaryGroups=systemd-journal +SystemCallArchitectures=native +User=systemd-journal-upload +WatchdogSec=3min # If there are many split up journal files we need a lot of fds to access them # all in parallel. diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in index 41cac8cf656..4684f095c07 100644 --- a/units/systemd-journald.service.in +++ b/units/systemd-journald.service.in @@ -16,24 +16,25 @@ After=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-a Before=sysinit.target [Service] -Type=notify -Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket +CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE ExecStart=@rootlibexecdir@/systemd-journald -Restart=always -RestartSec=0 -StandardOutput=null -WatchdogSec=3min FileDescriptorStoreMax=4224 -CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE +IPAddressDeny=any +LockPersonality=yes MemoryDenyWriteExecute=yes -RestrictRealtime=yes -RestrictNamespaces=yes +NoNewPrivileges=yes +Restart=always +RestartSec=0 RestrictAddressFamilies=AF_UNIX AF_NETLINK -SystemCallFilter=@system-service -SystemCallErrorNumber=EPERM +RestrictNamespaces=yes +RestrictRealtime=yes +Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket +StandardOutput=null SystemCallArchitectures=native -LockPersonality=yes -IPAddressDeny=any +SystemCallErrorNumber=EPERM +SystemCallFilter=@system-service +Type=notify +WatchdogSec=3min # If there are many split up journal files we need a lot of fds to access them # all in parallel. diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in index a24e61a0cdd..01e0703d0e2 100644 --- a/units/systemd-localed.service.in +++ b/units/systemd-localed.service.in @@ -13,25 +13,26 @@ Documentation=man:systemd-localed.service(8) man:locale.conf(5) man:vconsole.con Documentation=https://www.freedesktop.org/wiki/Software/systemd/localed [Service] -ExecStart=@rootlibexecdir@/systemd-localed BusName=org.freedesktop.locale1 -WatchdogSec=3min CapabilityBoundingSet= -PrivateTmp=yes +ExecStart=@rootlibexecdir@/systemd-localed +IPAddressDeny=any +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes PrivateDevices=yes PrivateNetwork=yes -ProtectSystem=strict -ProtectHome=yes +PrivateTmp=yes ProtectControlGroups=yes -ProtectKernelTunables=yes +ProtectHome=yes ProtectKernelModules=yes -MemoryDenyWriteExecute=yes -RestrictRealtime=yes -RestrictNamespaces=yes +ProtectKernelTunables=yes +ProtectSystem=strict +ReadWritePaths=/etc RestrictAddressFamilies=AF_UNIX -SystemCallFilter=@system-service -SystemCallErrorNumber=EPERM +RestrictNamespaces=yes +RestrictRealtime=yes SystemCallArchitectures=native -LockPersonality=yes -IPAddressDeny=any -ReadWritePaths=/etc +SystemCallErrorNumber=EPERM +SystemCallFilter=@system-service +WatchdogSec=3min diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in index 961263f6071..38a7f269aca 100644 --- a/units/systemd-logind.service.in +++ b/units/systemd-logind.service.in @@ -20,22 +20,23 @@ Wants=dbus.socket After=dbus.socket [Service] -ExecStart=@rootlibexecdir@/systemd-logind -Restart=always -RestartSec=0 BusName=org.freedesktop.login1 -WatchdogSec=3min CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG +ExecStart=@rootlibexecdir@/systemd-logind +FileDescriptorStoreMax=512 +IPAddressDeny=any +LockPersonality=yes MemoryDenyWriteExecute=yes -RestrictRealtime=yes -RestrictNamespaces=yes +NoNewPrivileges=yes +Restart=always +RestartSec=0 RestrictAddressFamilies=AF_UNIX AF_NETLINK -SystemCallFilter=@system-service -SystemCallErrorNumber=EPERM +RestrictNamespaces=yes +RestrictRealtime=yes SystemCallArchitectures=native -LockPersonality=yes -IPAddressDeny=any -FileDescriptorStoreMax=512 +SystemCallErrorNumber=EPERM +SystemCallFilter=@system-service +WatchdogSec=3min # Increase the default a bit in order to allow many simultaneous logins since # we keep one fd open per session. diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in index 1200a90a61a..9f1476814df 100644 --- a/units/systemd-machined.service.in +++ b/units/systemd-machined.service.in @@ -16,18 +16,19 @@ After=machine.slice RequiresMountsFor=/var/lib/machines [Service] -ExecStart=@rootlibexecdir@/systemd-machined BusName=org.freedesktop.machine1 -WatchdogSec=3min CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD +ExecStart=@rootlibexecdir@/systemd-machined +IPAddressDeny=any +LockPersonality=yes MemoryDenyWriteExecute=yes -RestrictRealtime=yes +NoNewPrivileges=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 -SystemCallFilter=@system-service @mount -SystemCallErrorNumber=EPERM +RestrictRealtime=yes SystemCallArchitectures=native -LockPersonality=yes -IPAddressDeny=any +SystemCallErrorNumber=EPERM +SystemCallFilter=@system-service @mount +WatchdogSec=3min # Note that machined cannot be placed in a mount namespace, since it # needs access to the host's mount namespace in order to implement the diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in index 65d3e2a6604..472ef045de9 100644 --- a/units/systemd-networkd.service.in +++ b/units/systemd-networkd.service.in @@ -19,28 +19,29 @@ Conflicts=shutdown.target Wants=network.target [Service] -Type=notify -Restart=on-failure -RestartSec=0 -ExecStart=!!@rootlibexecdir@/systemd-networkd -WatchdogSec=3min -User=systemd-network -CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW -ProtectSystem=strict -ProtectHome=yes +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW +ExecStart=!!@rootlibexecdir@/systemd-networkd +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes ProtectControlGroups=yes +ProtectHome=yes ProtectKernelModules=yes -MemoryDenyWriteExecute=yes -RestrictRealtime=yes -RestrictNamespaces=yes +ProtectSystem=strict +Restart=on-failure +RestartSec=0 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET -SystemCallFilter=@system-service -SystemCallErrorNumber=EPERM -SystemCallArchitectures=native -LockPersonality=yes +RestrictNamespaces=yes +RestrictRealtime=yes RuntimeDirectory=systemd/netif RuntimeDirectoryPreserve=yes +SystemCallArchitectures=native +SystemCallErrorNumber=EPERM +SystemCallFilter=@system-service +Type=notify +User=systemd-network +WatchdogSec=3min [Install] WantedBy=multi-user.target diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in index ef5398cbf07..3144b70063e 100644 --- a/units/systemd-resolved.service.in +++ b/units/systemd-resolved.service.in @@ -20,31 +20,32 @@ Conflicts=shutdown.target Wants=nss-lookup.target [Service] -Type=notify -Restart=always -RestartSec=0 -ExecStart=!!@rootlibexecdir@/systemd-resolved -WatchdogSec=3min -User=systemd-resolve -CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE -PrivateTmp=yes +CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE +ExecStart=!!@rootlibexecdir@/systemd-resolved +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes PrivateDevices=yes -ProtectSystem=strict -ProtectHome=yes +PrivateTmp=yes ProtectControlGroups=yes -ProtectKernelTunables=yes +ProtectHome=yes ProtectKernelModules=yes -MemoryDenyWriteExecute=yes -RestrictRealtime=yes -RestrictNamespaces=yes +ProtectKernelTunables=yes +ProtectSystem=strict +Restart=always +RestartSec=0 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 -SystemCallFilter=@system-service -SystemCallErrorNumber=EPERM -SystemCallArchitectures=native -LockPersonality=yes +RestrictNamespaces=yes +RestrictRealtime=yes RuntimeDirectory=systemd/resolve RuntimeDirectoryPreserve=yes +SystemCallArchitectures=native +SystemCallErrorNumber=EPERM +SystemCallFilter=@system-service +Type=notify +User=systemd-resolve +WatchdogSec=3min [Install] WantedBy=multi-user.target diff --git a/units/systemd-rfkill.service.in b/units/systemd-rfkill.service.in index 4b68f0b5a77..3abb958310d 100644 --- a/units/systemd-rfkill.service.in +++ b/units/systemd-rfkill.service.in @@ -17,7 +17,8 @@ After=sys-devices-virtual-misc-rfkill.device systemd-remount-fs.service Before=shutdown.target [Service] -Type=notify ExecStart=@rootlibexecdir@/systemd-rfkill -TimeoutSec=30s +NoNewPrivileges=yes StateDirectory=systemd/rfkill +TimeoutSec=30s +Type=notify diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in index 906bb4326ca..6d530241957 100644 --- a/units/systemd-timedated.service.in +++ b/units/systemd-timedated.service.in @@ -13,23 +13,24 @@ Documentation=man:systemd-timedated.service(8) man:localtime(5) Documentation=https://www.freedesktop.org/wiki/Software/systemd/timedated [Service] -ExecStart=@rootlibexecdir@/systemd-timedated BusName=org.freedesktop.timedate1 -WatchdogSec=3min CapabilityBoundingSet=CAP_SYS_TIME +ExecStart=@rootlibexecdir@/systemd-timedated +IPAddressDeny=any +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes PrivateTmp=yes -ProtectSystem=strict -ProtectHome=yes ProtectControlGroups=yes -ProtectKernelTunables=yes +ProtectHome=yes ProtectKernelModules=yes -MemoryDenyWriteExecute=yes -RestrictRealtime=yes -RestrictNamespaces=yes +ProtectKernelTunables=yes +ProtectSystem=strict +ReadWritePaths=/etc RestrictAddressFamilies=AF_UNIX -SystemCallFilter=@system-service @clock -SystemCallErrorNumber=EPERM +RestrictNamespaces=yes +RestrictRealtime=yes SystemCallArchitectures=native -LockPersonality=yes -IPAddressDeny=any -ReadWritePaths=/etc +SystemCallErrorNumber=EPERM +SystemCallFilter=@system-service @clock +WatchdogSec=3min diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in index 12f918dd11b..03ade45d086 100644 --- a/units/systemd-timesyncd.service.in +++ b/units/systemd-timesyncd.service.in @@ -19,31 +19,32 @@ Conflicts=shutdown.target Wants=time-sync.target [Service] -Type=notify -Restart=always -RestartSec=0 -ExecStart=!!@rootlibexecdir@/systemd-timesyncd -WatchdogSec=3min -User=systemd-timesync -CapabilityBoundingSet=CAP_SYS_TIME AmbientCapabilities=CAP_SYS_TIME -PrivateTmp=yes +CapabilityBoundingSet=CAP_SYS_TIME +ExecStart=!!@rootlibexecdir@/systemd-timesyncd +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes PrivateDevices=yes -ProtectSystem=strict -ProtectHome=yes +PrivateTmp=yes ProtectControlGroups=yes -ProtectKernelTunables=yes +ProtectHome=yes ProtectKernelModules=yes -MemoryDenyWriteExecute=yes -RestrictRealtime=yes -RestrictNamespaces=yes +ProtectKernelTunables=yes +ProtectSystem=strict +Restart=always +RestartSec=0 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes RuntimeDirectory=systemd/timesync -SystemCallFilter=@system-service @clock -SystemCallErrorNumber=EPERM -SystemCallArchitectures=native -LockPersonality=yes StateDirectory=systemd/timesync +SystemCallArchitectures=native +SystemCallErrorNumber=EPERM +SystemCallFilter=@system-service @clock +Type=notify +User=systemd-timesync +WatchdogSec=3min [Install] WantedBy=sysinit.target