units: turn on RestrictSUIDSGID= in most of our long-running daemons

(cherry picked from commit 62aa29247c3d74bcec0607c347f2be23cd90675d)
Related: #1687512

diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
index 68a68a5055845631f363f4010df2eb5062cd40e0..d69ebd8b24662a6d604e0a00161fe9a79f523a31 100644 (file)
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@@ -33,6 +33,7 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX
+RestrictSUIDSGID=yes
 SystemCallFilter=@system-service
 SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native

diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index 4e5470dd2964abfca1e05467c0dc6093b0c06e09..97d4e142bc7bbd5cb397f880d73c3018d4e1ae58 100644 (file)
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -29,6 +29,7 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX
+RestrictSUIDSGID=yes
 SystemCallFilter=@system-service sethostname
 SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native

diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in
index a94265f215b1ec34d72e9ec984edcf6a3b367e0a..3c914f5a405daa9b50ae602704a9134ee9c60d88 100644 (file)
--- a/units/systemd-journal-remote.service.in
+++ b/units/systemd-journal-remote.service.in
@@ -28,6 +28,7 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictSUIDSGID=yes
 SystemCallArchitectures=native
 LockPersonality=yes
 LogsDirectory=journal/remote

diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index e109b2579288df1707d54367291b8f5662e37e15..ab9ec35ff8d8454010940801a7f78db8b0bc8dcd 100644 (file)
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -21,6 +21,7 @@ Sockets=systemd-journald.socket systemd-journald-dev-log.socket
 ExecStart=@rootlibexecdir@/systemd-journald
 Restart=always
 RestartSec=0
+RestrictSUIDSGID=yes
 StandardOutput=null
 WatchdogSec=3min
 FileDescriptorStoreMax=4224

diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
index ce043db154a956b73182b255c29fde567cc682c7..b87d60e9eb44b3a9f5a3a92b6ea38c7bf401982b 100644 (file)
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -29,6 +29,7 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX
+RestrictSUIDSGID=yes
 SystemCallFilter=@system-service
 SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native

diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index 6953fac55ba5fe0eaa66b917e5fb9cf47913abf4..086338e03bba645eca954187fffe49cc271d796b 100644 (file)
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -30,6 +30,7 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK
+RestrictSUIDSGID=yes
 SystemCallFilter=@system-service
 SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native

diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
index 371ab3a9cfec866c978c854159c478a881f27af0..a0f34ac73827713fc6f4b2c763b748c6983bdb86 100644 (file)
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -39,6 +39,7 @@ SystemCallFilter=@system-service
 SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native
 LockPersonality=yes
+RestrictSUIDSGID=yes
 RuntimeDirectory=systemd/netif
 RuntimeDirectoryPreserve=yes
 

diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
index aaed406ab2a4fd7521adbdd5d74059d507dbb80a..6c2ad5ca8655fb491da99faaf3e325a2db72c124 100644 (file)
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@@ -41,6 +41,7 @@ SystemCallFilter=@system-service
 SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native
 LockPersonality=yes
+RestrictSUIDSGID=yes
 RuntimeDirectory=systemd/resolve
 RuntimeDirectoryPreserve=yes
 

diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index 662b39557a14ef1f12d775635cdea76d079477fa..1da2bc4bb0b3a3517535d7eca9b3992a3fdcf7e2 100644 (file)
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -27,6 +27,7 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX
+RestrictSUIDSGID=yes
 SystemCallFilter=@system-service @clock
 SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native

diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index 4a490b6e1635cc15fbfc46e0cff9f6537003f756..c2b95517266c6794eeefe3232060d8d47161160b 100644 (file)
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -37,6 +37,7 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictSUIDSGID=yes
 RuntimeDirectory=systemd/timesync
 SystemCallFilter=@system-service @clock
 SystemCallErrorNumber=EPERM

diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
index fd9ead3bb82800d2d6ab38bd86f4938c062a3258..970cf0f290cf1e4d11c902758c2ca68ed8cbd416 100644 (file)
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@@ -27,8 +27,9 @@ WatchdogSec=3min
 TasksMax=infinity
 PrivateMounts=yes
 MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
 SystemCallFilter=@system-service @module @raw-io
 SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native