diff options
author | Lennart Poettering <lennart@poettering.net> | 2017-02-09 10:28:23 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2017-02-09 16:12:03 +0100 |
commit | 3c19d0b46bb05aef5dcaa2ce83c31b15ee8ae11b (patch) | |
tree | b2219c2de686c483c19b857993ed5a1c9edac879 /units/systemd-journald.service.in | |
parent | 7f396e5f66e91caf450890c34bc9e00b717aae86 (diff) | |
download | systemd-3c19d0b46bb05aef5dcaa2ce83c31b15ee8ae11b.tar.gz |
units: restrict namespace for a good number of our own services
Basically, we turn it on for most long-running services, with the
exception of machined (whose child processes need to join containers
here and there), and importd (which sandboxes tar in a CLONE_NEWNET
namespace). machined is left unrestricted, and importd is restricted to
use only "net"
Diffstat (limited to 'units/systemd-journald.service.in')
-rw-r--r-- | units/systemd-journald.service.in | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in index b2e7eeeda3..adabedd977 100644 --- a/units/systemd-journald.service.in +++ b/units/systemd-journald.service.in @@ -26,6 +26,7 @@ FileDescriptorStoreMax=1024 CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE MemoryDenyWriteExecute=yes RestrictRealtime=yes +RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io SystemCallArchitectures=native |