units: lock down coredump service a bit

Dissecting a coredump is possibly risky and might take a while, hence lock down the unit as much as we can.
author: Lennart Poettering <lennart@poettering.net> 2017-02-09 11:17:45 +0100
committer: Lennart Poettering <lennart@poettering.net> 2017-02-09 16:12:03 +0100
commit: 924453c22599cc246746a0233b2f52a27ade0819 (patch)
tree: cf345251a039ef8a152f51c009cc2c2f65e9b523 /units/systemd-coredump@.service.in
parent: b6c7278c38b5c240d8435ab6293838ee5de827cb (diff)
download: systemd-924453c22599cc246746a0233b2f52a27ade0819.tar.gz
1 files changed, 12 insertions, 2 deletions
diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
index f12b28d6a6..18f2d2d605 100644
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@@ -19,9 +19,19 @@ Before=shutdown.target
 ExecStart=-@rootlibexecdir@/systemd-coredump
 Nice=9
 OOMScoreAdjust=500
+RuntimeMaxSec=5min
+PrivateTmp=yes
+PrivateDevices=yes
 PrivateNetwork=yes
 ProtectSystem=strict
-RuntimeMaxSec=5min
+ProtectHome=yes
+ProtectControlGroups=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictNamespaces=yes
+RestrictAddressFamilies=AF_UNIX
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
 ReadWritePaths=/var/lib/systemd/coredump
-ProtectKernelModules=yes
author	Lennart Poettering <lennart@poettering.net>	2017-02-09 11:17:45 +0100
committer	Lennart Poettering <lennart@poettering.net>	2017-02-09 16:12:03 +0100
commit	924453c22599cc246746a0233b2f52a27ade0819 (patch)
tree	cf345251a039ef8a152f51c009cc2c2f65e9b523 /units/systemd-coredump@.service.in
parent	b6c7278c38b5c240d8435ab6293838ee5de827cb (diff)
download	systemd-924453c22599cc246746a0233b2f52a27ade0819.tar.gz