Merge pull request #8839 from yuwata/fix-8833

unit: tighten sandboxing for logind

3 files changed, 2 insertions, 7 deletions

diff --git a/src/login/logind-user.c b/src/login/logind-user.c
index 712067c52c..f513555142 100644
--- a/src/login/logind-user.c
+++ b/src/login/logind-user.c
@@ -7,7 +7,6 @@
 
 #include <errno.h>
 #include <string.h>
-#include <sys/mount.h>
 #include <unistd.h>
 #include <stdio_ext.h>
 
@@ -17,7 +16,6 @@
 #include "bus-util.h"
 #include "cgroup-util.h"
 #include "clean-ipc.h"
-#include "conf-parser.h"
 #include "escape.h"
 #include "fd-util.h"
 #include "fileio.h"
@@ -27,11 +25,9 @@
 #include "label.h"
 #include "logind-user.h"
 #include "mkdir.h"
-#include "mount-util.h"
 #include "parse-util.h"
 #include "path-util.h"
 #include "rm-rf.h"
-#include "smack-util.h"
 #include "special.h"
 #include "stdio-util.h"
 #include "string-table.h"
diff --git a/src/login/logind.c b/src/login/logind.c
index d47ee2e36e..3b097e1def 100644
--- a/src/login/logind.c
+++ b/src/login/logind.c
@@ -17,7 +17,6 @@
 #include "bus-error.h"
 #include "bus-util.h"
 #include "cgroup-util.h"
-#include "conf-parser.h"
 #include "def.h"
 #include "dirent-util.h"
 #include "fd-util.h"
diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index 968b92a45c..168fc007b0 100644
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -29,8 +29,8 @@ CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CA
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
-RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
-SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
+RestrictAddressFamilies=AF_UNIX AF_NETLINK
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
 LockPersonality=yes
 IPAddressDeny=any