Skip to content

Commit

Permalink
units: turn on RestrictSUIDSGID= in most of our long-running daemons
Browse files Browse the repository at this point in the history
  • Loading branch information
poettering committed Apr 2, 2019
1 parent 7445db6 commit 62aa292
Show file tree
Hide file tree
Showing 11 changed files with 12 additions and 1 deletion.
1 change: 1 addition & 0 deletions units/systemd-coredump@.service.in
Expand Up @@ -36,6 +36,7 @@ ProtectSystem=strict
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RuntimeMaxSec=5min
StateDirectory=systemd/coredump
SystemCallArchitectures=native
Expand Down
1 change: 1 addition & 0 deletions units/systemd-hostnamed.service.in
Expand Up @@ -32,6 +32,7 @@ ReadWritePaths=/etc
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service sethostname
Expand Down
1 change: 1 addition & 0 deletions units/systemd-journal-remote.service.in
Expand Up @@ -30,6 +30,7 @@ ProtectSystem=strict
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
User=systemd-journal-remote
WatchdogSec=3min
Expand Down
1 change: 1 addition & 0 deletions units/systemd-journald.service.in
Expand Up @@ -28,6 +28,7 @@ RestartSec=0
RestrictAddressFamilies=AF_UNIX AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket
StandardOutput=null
SystemCallArchitectures=native
Expand Down
1 change: 1 addition & 0 deletions units/systemd-localed.service.in
Expand Up @@ -33,6 +33,7 @@ ReadWritePaths=/etc
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service
Expand Down
1 change: 1 addition & 0 deletions units/systemd-logind.service.in
Expand Up @@ -40,6 +40,7 @@ RestartSec=0
RestrictAddressFamilies=AF_UNIX AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RuntimeDirectory=systemd/sessions systemd/seats systemd/users systemd/inhibit systemd/shutdown
RuntimeDirectoryPreserve=yes
SystemCallArchitectures=native
Expand Down
1 change: 1 addition & 0 deletions units/systemd-networkd.service.in
Expand Up @@ -34,6 +34,7 @@ RestartSec=0
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RuntimeDirectory=systemd/netif
RuntimeDirectoryPreserve=yes
SystemCallArchitectures=native
Expand Down
1 change: 1 addition & 0 deletions units/systemd-resolved.service.in
Expand Up @@ -38,6 +38,7 @@ RestartSec=0
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RuntimeDirectory=systemd/resolve
RuntimeDirectoryPreserve=yes
SystemCallArchitectures=native
Expand Down
1 change: 1 addition & 0 deletions units/systemd-timedated.service.in
Expand Up @@ -31,6 +31,7 @@ ReadWritePaths=/etc
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service @clock
Expand Down
1 change: 1 addition & 0 deletions units/systemd-timesyncd.service.in
Expand Up @@ -38,6 +38,7 @@ RestartSec=0
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RuntimeDirectory=systemd/timesync
StateDirectory=systemd/timesync
SystemCallArchitectures=native
Expand Down
3 changes: 2 additions & 1 deletion units/systemd-udevd.service.in
Expand Up @@ -28,8 +28,9 @@ TasksMax=infinity
PrivateMounts=yes
ProtectHostname=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallFilter=@system-service @module @raw-io
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native
Expand Down

0 comments on commit 62aa292

Please sign in to comment.