diff options
author | Lennart Poettering <lennart@poettering.net> | 2017-02-09 11:17:45 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2017-02-09 16:12:03 +0100 |
commit | 924453c22599cc246746a0233b2f52a27ade0819 (patch) | |
tree | cf345251a039ef8a152f51c009cc2c2f65e9b523 /units/systemd-coredump@.service.in | |
parent | b6c7278c38b5c240d8435ab6293838ee5de827cb (diff) | |
download | systemd-924453c22599cc246746a0233b2f52a27ade0819.tar.gz |
units: lock down coredump service a bit
Dissecting a coredump is possibly risky and might take a while, hence
lock down the unit as much as we can.
Diffstat (limited to 'units/systemd-coredump@.service.in')
-rw-r--r-- | units/systemd-coredump@.service.in | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in index f12b28d6a6..18f2d2d605 100644 --- a/units/systemd-coredump@.service.in +++ b/units/systemd-coredump@.service.in @@ -19,9 +19,19 @@ Before=shutdown.target ExecStart=-@rootlibexecdir@/systemd-coredump Nice=9 OOMScoreAdjust=500 +RuntimeMaxSec=5min +PrivateTmp=yes +PrivateDevices=yes PrivateNetwork=yes ProtectSystem=strict -RuntimeMaxSec=5min +ProtectHome=yes +ProtectControlGroups=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +RestrictNamespaces=yes +RestrictAddressFamilies=AF_UNIX +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native ReadWritePaths=/var/lib/systemd/coredump -ProtectKernelModules=yes |