summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2017-09-14 19:45:40 +0200
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2017-09-14 19:45:40 +0200
commitbff8f2543b27d44d8b245eb78ad7e47607d4a53f (patch)
tree23266740f828edf52ca033fd99a4f80b14e7eeea
parent71b514298bbece7da6bf33c25e46ab4fe8d8d35e (diff)
downloadsystemd-bff8f2543b27d44d8b245eb78ad7e47607d4a53f.tar.gz
units: set LockPersonality= for all our long-running services (#6819)
Let's lock things down. Also, using it is the only way how to properly test this to the fullest extent.
-rw-r--r--TODO2
-rw-r--r--units/systemd-coredump@.service.in1
-rw-r--r--units/systemd-hostnamed.service.in1
-rw-r--r--units/systemd-importd.service.in1
-rw-r--r--units/systemd-journal-gatewayd.service.in1
-rw-r--r--units/systemd-journal-remote.service.in1
-rw-r--r--units/systemd-journal-upload.service.in1
-rw-r--r--units/systemd-journald.service.in1
-rw-r--r--units/systemd-localed.service.in1
-rw-r--r--units/systemd-logind.service.in1
-rw-r--r--units/systemd-machined.service.in1
-rw-r--r--units/systemd-networkd.service.in1
-rw-r--r--units/systemd-resolved.service.in1
-rw-r--r--units/systemd-timedated.service.in1
-rw-r--r--units/systemd-timesyncd.service.in1
-rw-r--r--units/systemd-udevd.service.in1
16 files changed, 15 insertions, 2 deletions
diff --git a/TODO b/TODO
index e65733e334..cabba100a5 100644
--- a/TODO
+++ b/TODO
@@ -27,8 +27,6 @@ Features:
* dissect: when we discover squashfs, don't claim we had a "writable" partition
in systemd-dissect
-* set LockPersonality= on all our services
-
* Add AddUser= setting to unit files, similar to DynamicUser=1 which however
creates a static, persistent user rather than a dynamic, transient user. We
can leverage code from sysusers.d for this.
diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
index c699a80f34..d7eaf3398e 100644
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@@ -33,4 +33,5 @@ RestrictNamespaces=yes
RestrictAddressFamilies=AF_UNIX
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
SystemCallArchitectures=native
+LockPersonality=yes
StateDirectory=systemd/coredump
diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index d29e9ff81b..9bb5ad8cac 100644
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -29,4 +29,5 @@ RestrictNamespaces=yes
RestrictAddressFamilies=AF_UNIX
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
SystemCallArchitectures=native
+LockPersonality=yes
ReadWritePaths=/etc
diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in
index 58762055eb..695a5f21cb 100644
--- a/units/systemd-importd.service.in
+++ b/units/systemd-importd.service.in
@@ -23,3 +23,4 @@ RestrictNamespaces=net
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
SystemCallArchitectures=native
+LockPersonality=yes
diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in
index fd7a9718f7..b24d698c8a 100644
--- a/units/systemd-journal-gatewayd.service.in
+++ b/units/systemd-journal-gatewayd.service.in
@@ -25,6 +25,7 @@ RestrictRealtime=yes
RestrictNamespaces=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
SystemCallArchitectures=native
+LockPersonality=yes
# If there are many split upjournal files we need a lot of fds to
# access them all and combine
diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in
index c24e673d82..92cec21c2f 100644
--- a/units/systemd-journal-remote.service.in
+++ b/units/systemd-journal-remote.service.in
@@ -27,6 +27,7 @@ RestrictRealtime=yes
RestrictNamespaces=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
SystemCallArchitectures=native
+LockPersonality=yes
LogsDirectory=journal/remote
[Install]
diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in
index b0bee3925e..98a4b2bb7a 100644
--- a/units/systemd-journal-upload.service.in
+++ b/units/systemd-journal-upload.service.in
@@ -28,6 +28,7 @@ RestrictRealtime=yes
RestrictNamespaces=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
SystemCallArchitectures=native
+LockPersonality=yes
StateDirectory=systemd/journal-upload
# If there are many split up journal files we need a lot of fds to
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index 1e86d63648..07e03e736e 100644
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -29,6 +29,7 @@ RestrictNamespaces=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
SystemCallArchitectures=native
+LockPersonality=yes
# Increase the default a bit in order to allow many simultaneous
# services being run since we keep one fd open per service. Also, when
diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
index 90a913881a..1366fa7910 100644
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -29,4 +29,5 @@ RestrictNamespaces=yes
RestrictAddressFamilies=AF_UNIX
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
SystemCallArchitectures=native
+LockPersonality=yes
ReadWritePaths=/etc
diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index f851373658..f6daf7755c 100644
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -30,6 +30,7 @@ RestrictNamespaces=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
SystemCallArchitectures=native
+LockPersonality=yes
FileDescriptorStoreMax=512
# Increase the default a bit in order to allow many simultaneous
diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
index a4f86aa7c8..fb4df38293 100644
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -23,6 +23,7 @@ RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
SystemCallArchitectures=native
+LockPersonality=yes
# Note that machined cannot be placed in a mount namespace, since it
# needs access to the host's mount namespace in order to implement the
diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
index 3f0ad77b7d..932dd63964 100644
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -34,6 +34,7 @@ RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
SystemCallArchitectures=native
+LockPersonality=yes
RuntimeDirectory=systemd/netif
RuntimeDirectoryPreserve=yes
diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
index ba8d3f6bb1..cda83ee966 100644
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@@ -36,6 +36,7 @@ RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
SystemCallArchitectures=native
+LockPersonality=yes
RuntimeDirectory=systemd/resolve
RuntimeDirectoryPreserve=yes
diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index 2b5f0744c9..9fca1d1905 100644
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -27,4 +27,5 @@ RestrictNamespaces=yes
RestrictAddressFamilies=AF_UNIX
SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
SystemCallArchitectures=native
+LockPersonality=yes
ReadWritePaths=/etc
diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index a6e14d24d1..8d3f46cf5e 100644
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -38,6 +38,7 @@ RestrictNamespaces=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
SystemCallArchitectures=native
+LockPersonality=yes
StateDirectory=systemd/timesync
[Install]
diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
index 3b92c6a866..d3d13ed7cf 100644
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@@ -28,3 +28,4 @@ MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
SystemCallArchitectures=native
+LockPersonality=yes