From: Topi Miettinen Date: Thu, 2 Apr 2020 18:18:11 +0000 (+0300) Subject: units: add ProtectClock=yes X-Git-Tag: v246-rc1~639 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cabc1c6d7adae658a2966a4b02a6faabb803e92b;p=thirdparty%2Fsystemd.git units: add ProtectClock=yes Add `ProtectClock=yes` to systemd units. Since it implies certain `DeviceAllow=` rules, make sure that the units have `DeviceAllow=` rules so they are still able to access other devices. Exclude timesyncd and timedated. --- diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in index 6181d15d777..334f030caa9 100644 --- a/units/systemd-journal-remote.service.in +++ b/units/systemd-journal-remote.service.in @@ -21,6 +21,7 @@ NoNewPrivileges=yes PrivateDevices=yes PrivateNetwork=yes PrivateTmp=yes +ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in index 5144868bcb7..0cb1bfa3ca7 100644 --- a/units/systemd-journald.service.in +++ b/units/systemd-journald.service.in @@ -25,6 +25,7 @@ LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes OOMScoreAdjust=-250 +ProtectClock=yes Restart=always RestartSec=0 RestrictAddressFamilies=AF_UNIX AF_NETLINK diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in index 23aa828591c..ed573b8f3c7 100644 --- a/units/systemd-logind.service.in +++ b/units/systemd-logind.service.in @@ -36,6 +36,7 @@ LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes PrivateTmp=yes +ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in index 1b69677496d..26731468413 100644 --- a/units/systemd-networkd.service.in +++ b/units/systemd-networkd.service.in @@ -26,6 +26,7 @@ ExecStart=!!@rootlibexecdir@/systemd-networkd LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes +ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes ProtectKernelModules=yes diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in index f73697832cc..5723f1c1e2e 100644 --- a/units/systemd-resolved.service.in +++ b/units/systemd-resolved.service.in @@ -28,6 +28,7 @@ MemoryDenyWriteExecute=yes NoNewPrivileges=yes PrivateDevices=yes PrivateTmp=yes +ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes ProtectKernelModules=yes diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in index 5eee69933bd..f3ebaa18a64 100644 --- a/units/systemd-udevd.service.in +++ b/units/systemd-udevd.service.in @@ -16,6 +16,8 @@ Before=sysinit.target ConditionPathIsReadWrite=/sys [Service] +DeviceAllow=block-* rwm +DeviceAllow=char-* rwm Type=notify # Note that udev also adjusts the OOM score internally and will reset the value internally for its workers OOMScoreAdjust=-1000 @@ -27,6 +29,7 @@ ExecReload=udevadm control --reload --timeout 0 KillMode=mixed TasksMax=infinity PrivateMounts=yes +ProtectClock=yes ProtectHostname=yes MemoryDenyWriteExecute=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6