diff options
author | Lennart Poettering <lennart@poettering.net> | 2018-04-27 12:58:16 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-04-27 12:58:16 +0200 |
commit | c73bb2676f91a0aa3854777213f2511945188d22 (patch) | |
tree | efb21c5b90d021cb5ec2d8bb6ecc18bb8c595abc | |
parent | 7f9915f0de67f3a10a4b22810d119da65af8c84a (diff) | |
parent | dea6363533a8190493692941593e9afdfa92685a (diff) | |
download | systemd-c73bb2676f91a0aa3854777213f2511945188d22.tar.gz |
Merge pull request #8839 from yuwata/fix-8833
unit: tighten sandboxing for logind
-rw-r--r-- | src/login/logind-user.c | 4 | ||||
-rw-r--r-- | src/login/logind.c | 1 | ||||
-rw-r--r-- | units/systemd-logind.service.in | 4 |
3 files changed, 2 insertions, 7 deletions
diff --git a/src/login/logind-user.c b/src/login/logind-user.c index 712067c52c..f513555142 100644 --- a/src/login/logind-user.c +++ b/src/login/logind-user.c @@ -7,7 +7,6 @@ #include <errno.h> #include <string.h> -#include <sys/mount.h> #include <unistd.h> #include <stdio_ext.h> @@ -17,7 +16,6 @@ #include "bus-util.h" #include "cgroup-util.h" #include "clean-ipc.h" -#include "conf-parser.h" #include "escape.h" #include "fd-util.h" #include "fileio.h" @@ -27,11 +25,9 @@ #include "label.h" #include "logind-user.h" #include "mkdir.h" -#include "mount-util.h" #include "parse-util.h" #include "path-util.h" #include "rm-rf.h" -#include "smack-util.h" #include "special.h" #include "stdio-util.h" #include "string-table.h" diff --git a/src/login/logind.c b/src/login/logind.c index d47ee2e36e..3b097e1def 100644 --- a/src/login/logind.c +++ b/src/login/logind.c @@ -17,7 +17,6 @@ #include "bus-error.h" #include "bus-util.h" #include "cgroup-util.h" -#include "conf-parser.h" #include "def.h" #include "dirent-util.h" #include "fd-util.h" diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in index 968b92a45c..168fc007b0 100644 --- a/units/systemd-logind.service.in +++ b/units/systemd-logind.service.in @@ -29,8 +29,8 @@ CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CA MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes -RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 -SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap +RestrictAddressFamilies=AF_UNIX AF_NETLINK +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native LockPersonality=yes IPAddressDeny=any |